Re: [CSP] Request to amend bookmarklet/extensions sentence in CSP1.1

On 7/31/2014 6:24 PM, Philip S Constantinou wrote:
> Evernote voices our strong opposition to the wording changes regarding
> extensions and bookmarklets in CSP1.1 and our strong support of 

The wording change is nearly meaningless and you should focus elsewhere.
In the old text browsers "should not" interfere but were allowed to. The
current text allows browser to interfere, but they "may" chose not to.
With either wording the browser is free to interfere or not and be
perfectly spec compliant.

Both Google and Mozilla representatives have expressed strong support
for the concept that add-ons represent the user and should not be
interfered with. In practice that's a hard thing to achieve.

> To create a great
> user experience, our extensions insert JavaScript into the viewers page
> upon user request. This mechanism risks being broken by the vague
> extension/bookmarklet wording change proposed in CSP 1.1.

There is no way for the browser engine to distinguish between script
inserted by an add-on and script inserted by an attack. (It's also
potentially insecure if a malicious page can manipulate your scripts.)
Both Chrome and Firefox have features that allow extensions to run code
in a separate context that can manipulate the page; in Firefox you want
to check out evalInSandbox(). If you run scripts in this way they will
not be blocked by CSP because we can distinguish use of that privileged
feature from web content.

Of course if that script tries to add remote content to the page
(images, for example) those can still be blocked. I've got ideas on how
we could fix that in Firefox but need someone to write the code.

> We strongly believe that users should be allowed to control their own
> experience on the web through a choice of browser and the use of
> browsers extensions.

I share your belief.

> Changing the CSP specification in a way that limits
> browser extensions operates counter to the needs of users and limits
> companies like ours from making the web better for everyone.

The specification is not the problem.

-Dan Veditz

Received on Friday, 1 August 2014 03:33:28 UTC