- From: Mike West <mkwst@google.com>
- Date: Mon, 29 Oct 2012 11:38:53 +0100
- To: Ingo Chao <ichaocssd@googlemail.com>
- Cc: Dan Veditz <dveditz@mozilla.com>, "Eduardo' Vela" <evn@google.com>, public-webappsec@w3.org
- Message-ID: <CAKXHy=cFoP9jCCLgeatvDZHf3ynrnD5XtcY3yH12ii4L15fQ6Q@mail.gmail.com>
While I agree with you that detecting and killing malicious extensions is a good thing, I don't believe that CSP is the proper level of the stack to do that work. To your specific points: 1. Chrome deals with the risk of malicious extensions inside enterprises by giving IT departments the ability to control extension installation via policy. This seems like a better solution than exposing information about installed extensions to the web at large. 2. I think making detection of extensions like AdBlock simpler than it already is falls well outside the functionality CSP is intended to provide. In short, user agents quite intentionally give extensions the ability to override the wishes of site authors. Transferring that authority (or some semblance of it) back to the site author seems problematic, even if done with good intentions. -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 On Mon, Oct 29, 2012 at 10:23 AM, Ingo Chao <ichaocssd@googlemail.com>wrote: > On Mon, Oct 29, 2012 at 9:42 AM, Mike West <mkwst@google.com> wrote: > > The other side of that concern is leaking information about what > extensions > > a user has installed to the site owner. At the moment, that's an explicit > > non-goal of the spec. I'm of the opinion that it should stay that way. > > > > What is the privacy impact that you're worried about? I'm not sure I > > understand the use-case. > > > > 1 An attacker who knows that a company uses addons (e.g. through > inspection of the tracking pixels) may craft a special "update" to the > addon and may try to distribute it to employees who are in charge of > web analytics. Such an add-on may silently compromise the security of > the company. > > 2 Users may install "useful" addons that, apart from phoning home, > replace advertisements/other content in popular webpages. A CSP that > informs the site owner about such interactions of the addon with the > page could lead to certain actions. Without the CSP, the site owner > will never know what happens. > > Currently, our security measure is to rely on the user's trust in the > creator of the add-on. > > Ingo >
Received on Monday, 29 October 2012 10:39:43 UTC