- From: Mike West <mkwst@google.com>
- Date: Thu, 25 Oct 2012 08:54:56 +0200
- To: "Eduardo' Vela" <evn@google.com>
- Cc: public-webappsec@w3.org
- Message-ID: <CAKXHy=cjzoZhQ36xUTLLJPdW7My+X2xN3ixJJgpn8k4xkeTvag@mail.gmail.com>
Hi Eduardo! Moving this thread to public-webappsec. In a nutshell, extensions shouldn't be generating CSP violation reports. They currently do, but that's an implementation bug. I'm working on that in WebKit in https://bugs.webkit.org/show_bug.cgi?id=97398, and I believe Mozilla has also recognized the need to fix things up in their implementation. So, things will get better. :) -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 On Thu, Oct 25, 2012 at 8:22 AM, Eduardo' Vela <evn@google.com> wrote: > We've noticed that Extensions and Addons are responsible for CSP reports, > and it's hard for us to debug that. > > It would be nice if there was a flag in the report that specifies if the > violation was initiated by an extension or an addon. > > I understand there are challenges on doing this (eg, an extension can > inject a script which later generates a report). > > Being able to differentiate this problems would assist us to more quickly > and efficiently reproduce and triage bugs. > > This goes hand in hand with the other request (generating a DOM > event/error on CSP violations). > >
Received on Thursday, 25 October 2012 06:55:45 UTC