- From: Ingo Chao <ichaocssd@googlemail.com>
- Date: Thu, 25 Oct 2012 09:24:51 +0200
- To: Mike West <mkwst@google.com>
- Cc: "Eduardo' Vela" <evn@google.com>, public-webappsec@w3.org
Without the violation report for extensions/addons, monitoring loses the chance to highlight risks coming from injected scripts. Suggesting to have an optional watch-extensions directive for Content-Security-Policy-Report-Only, and an corresponding flag in the report. Ingo On Thu, Oct 25, 2012 at 8:54 AM, Mike West <mkwst@google.com> wrote: > Hi Eduardo! Moving this thread to public-webappsec. > > In a nutshell, extensions shouldn't be generating CSP violation reports. > They currently do, but that's an implementation bug. > > I'm working on that in WebKit in > https://bugs.webkit.org/show_bug.cgi?id=97398, and I believe Mozilla has > also recognized the need to fix things up in their implementation. > > So, things will get better. :) > > -- > Mike West <mkwst@google.com>, Developer Advocate > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > > On Thu, Oct 25, 2012 at 8:22 AM, Eduardo' Vela <evn@google.com> wrote: >> >> We've noticed that Extensions and Addons are responsible for CSP reports, >> and it's hard for us to debug that. >> >> It would be nice if there was a flag in the report that specifies if the >> violation was initiated by an extension or an addon. >> >> I understand there are challenges on doing this (eg, an extension can >> inject a script which later generates a report). >> >> Being able to differentiate this problems would assist us to more quickly >> and efficiently reproduce and triage bugs. >> >> This goes hand in hand with the other request (generating a DOM >> event/error on CSP violations). >> >
Received on Thursday, 25 October 2012 07:25:18 UTC