Re: CSP violations introduced by Addons / Extensions

Hi Eduardo! Moving this thread to public-webappsec.

In a nutshell, extensions shouldn't be generating CSP violation reports.
They currently do, but that's an implementation bug.

I'm working on that in WebKit in
https://bugs.webkit.org/show_bug.cgi?id=97398, and I believe Mozilla has
also recognized the need to fix things up in their implementation.

So, things will get better. :)

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Thu, Oct 25, 2012 at 8:22 AM, Eduardo' Vela <evn@google.com> wrote:

> We've noticed that Extensions and Addons are responsible for CSP reports,
> and it's hard for us to debug that.
>
> It would be nice if there was a flag in the report that specifies if the
> violation was initiated by an extension or an addon.
>
> I understand there are challenges on doing this (eg, an extension can
> inject a script which later generates a report).
>
> Being able to differentiate this problems would assist us to more quickly
> and efficiently reproduce and triage bugs.
>
> This goes hand in hand with the other request (generating a DOM
> event/error on CSP violations).
>
>

Received on Thursday, 25 October 2012 06:55:45 UTC