W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2014

Re: [CSP] Request to amend bookmarklet/extensions sentence in CSP1.1

From: Brian Smith <brian@briansmith.org>
Date: Sun, 3 Aug 2014 20:17:04 -0700
Message-ID: <CAFewVt6YHf_Oxe+szKjfXZ+PypEDeAe55MXjB3wLpvpD_sZ2jg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Philip Constantinou <constantinou@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, Adam Barth <w3c@adambarth.com>, Daniel Veditz <dveditz@mozilla.com>
On Sun, Aug 3, 2014 at 4:28 PM, Brad Hill <hillbrad@gmail.com> wrote:
>   But I do think there are also two issues here that we can and
> perhaps should decompose: extensions/plugins versus bookmarklets
>   Extensions and plugins are by their nature proprietary at this time.
> I think it is likely that user agents will find a way to allow them to
> work with Content Security Policy, but it is unlikely that a) they
> will do so by simply allowing direct modification of the DOM with
> injected script or b) that whatever mechanisms are employed will be
> consistent across browsers, as the architectures of extension/plugin
> technologies are user-agent specific.  The differences between the
> internal architectures of Firefox and Chrome plugins, for example, are
> profound, and neither is within the scope of the W3C.

I think it is likely that the web platform may need new features to
allow extensions to inject things into pages safely. Or, more likely,
the web platform may need new features to allow extensions to provide
the *illusion* of doing so, so that it can be safe. But, I also think
that workable proposals for doing so will come from the extension
development community, not from web browser makers, due to differences
in priorities. As long as extension developers keep insisting that
extension-injected script tags should somehow "just work," we are
unlikely to make progress.

>   Bookmarklets are a slightly different case because a big part of
> their value proposition is that they are "just javascript" and work in
> a relatively uniform manner across all browsers.

Bookmarklets should be banished from the internet. They are a huge
security risk because they lack an update mechanism for security
updates, which is a fundamental requirement for any client-side code.
All bookmarklets should be replaced by extensions, or by safe
declarative things like the MSIE "accelerators." With this in mind, it
would be totally reasonable for the CSP specification to say that
browsers MUST NOT allow bookmarklets to violate CSP directives. The
only improvement that browser makers should make to improve bookmarlet
support is to create tools to help migrate bookmarklets to extensions.

>   Maybe we need a new Fetch context
> (http://fetch.spec.whatwg.org/#requests) for activating a bookmark
> that is more specific than "internal"?

No, please.

Received on Monday, 4 August 2014 03:17:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC