W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [CSP] Request to amend bookmarklet/extensions sentence in CSP1.1

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 15 Jul 2014 20:25:14 -0700
Message-ID: <53C5F09A.4060902@mozilla.com>
To: Gregory Huczynski <gh_online@me.com>, public-webappsec@w3.org
On 7/15/2014 12:47 AM, Gregory Huczynski wrote:
> There was no input to the consensus decision from any individuals or
> companies who make popular bookmarklets or extensions - who would like a
> say on this change if they were aware of it. I will be making such
> individuals and companies aware of the CSP 1.1 draft, such that they
> have an opportunity to comment before the deadline closes on 13 August 2014.

Both the Firefox and Chrome implementors of CSP would like the 1.0
language to be true, but it is technically hard to distinguish wanted
injected content from an attack. That is especially true for
bookmarklets which are pure XSS by definition, even if "good" XSS.

More useful than arguing about the spec language would be writing
patches implementing clever ideas to fix the problem. If you know
someone with the time and coding chops for Firefox in particular I have
some ideas but no time to implement. Look me up on the mozilla dev lists
or irc.

-Dan Veditz
Received on Wednesday, 16 July 2014 03:25:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC