Re: Removal of the note about extensions

>From a process perspective: we closed Cox's formal objection in the last
call, based on removing the sentence in question. As I noted in [1], I
don't think there's any normative difference between the spec with or
without that sentence: I don't plan on changing Blink's behavior, and I'd
speculate that Mozilla doesn't intend to use this sentence's absence as a
reason to stop working to allow add-ons to function in the presence of a
page's CSP.

That said, I personally agree with the sentiments expressed here and on the
GitHub commit [2]: removing the sentence is probably the wrong way to
resolve the objection, because it doesn't make the WG's general consensus

I believe the following fairly summarizes the discussion thus far (Glenn,
and others, please correct me):

* Cox objects to language that provides a blanket policy exception to
extensions, for two reasons:
    1. Compromised extensions may not be representing the will of the user.
    2. Liability for catastrophic loss which could have been prevented if
extensions' actions could be suppressed.

* The WG, on the other hand, seems supportive of allowing extensions to
bypass a page's CSP. For example, see the poll results from [3]: reps from
Google, Mozilla, and others were generally disinterested in changing the
spec's normative behavior. Cox's vote was the only positive response to #6
that I saw.

With this in mind, I'm inclined to add a non-normative note to the spec
along the lines of "Note that user agents are encouraged to allow
third-party add-ons and JavaScript bookmarklets to bypass policy
enforcement, either implicitly or based on the user's preference."

On Mon, Feb 24, 2014 at 7:50 AM, Mitar <> wrote:

> And such argumentation is really silly. First you are saying that
> because there is a consensus and of course nobody will block, there is
> no need to put this into the standard. And then also because there is
> no consensus, there is nothing to put into the standard.

I don't think that's been my argument. In short, I removed the sentence

1. Extensions are vendor specific.
2. Vendor specific bits are, by their nature, non-interoperable.
3. Normative bits of the spec shouldn't regular vendor-specific bits of the
user agent.

I would be perfectly happy to add a non-normative note to the spec,
explaining that it would be wonderful if vendor-specific things like
extensions would continue to function despite a page's CSP. I

> I can assure you that not all UAs will adopt the position of ignoring CSP
> in the case of
> > extensions/add-ons. In fact, I'm aware of a downstream specification
> that mandates
> > that UAs (that comply with that specification) must enforce CSP
> policies, modulo explicit
> > override by end user, in the case of extensions/add-ons.

Can you point to that spec, Glenn? I'm curious.



Received on Monday, 24 February 2014 13:32:20 UTC