W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [webappsec] POLL: Getting CSP 1.1 to LCWD

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 01 Oct 2013 17:01:18 -0700
Message-ID: <524B624E.6090003@mozilla.com>
To: public-webappsec@w3.org
On 10/1/2013 3:03 PM, Glenn Adams wrote:
> In creating a television user interface using the Open Web Platform,
>  these companies are often not exempted from requirements they
> encounter when using other mediums for transmission. In the U.S. at
> least, Emergency Alert Services are part of such requirements.

If the alerts are part of the video stream they'd be pretty immune from
tampering.

>> I'd worry far more about malicious addons than compromised ones. The
>> former is a reality, but CSP isn't going to help that problem.
>
> Well, if CSP enabled authors to declare that addons should not inject
> script and the end user doesn't override that declaration, then we
> believe CSP could help.

What stops the malicious addon from simply suppressing such a prompt and 
injecting itself anyway? Once the user is infected with malware it's no 
longer their computer and the browser cannot make any guarantees.

-Dan Veditz
Received on Wednesday, 2 October 2013 00:01:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC