Re: CSP violations introduced by Addons / Extensions

On Mon, Oct 29, 2012 at 9:42 AM, Mike West <mkwst@google.com> wrote:
> The other side of that concern is leaking information about what extensions
> a user has installed to the site owner. At the moment, that's an explicit
> non-goal of the spec. I'm of the opinion that it should stay that way.
>
> What is the privacy impact that you're worried about? I'm not sure I
> understand the use-case.
>

1 An attacker who knows that a company uses addons (e.g. through
inspection of the tracking pixels) may craft a special "update" to the
addon and may try to distribute it to employees who are in charge of
web analytics. Such an add-on may silently compromise the security of
the company.

2 Users may install "useful" addons that, apart from phoning home,
replace advertisements/other content in popular webpages. A CSP that
informs the site owner about such interactions of the addon with the
page could lead to certain actions. Without the CSP, the site owner
will never know what happens.

Currently, our security measure is to rely on the user's trust in the
creator of the add-on.

Ingo

Received on Monday, 29 October 2012 09:23:33 UTC