W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2014

Re: CSP Spec question

From: Mike West <mkwst@google.com>
Date: Wed, 28 May 2014 16:32:50 +0200
Message-ID: <CAKXHy=eJLGx-qF87peBu3JqM=thbe_VHn0G8WM28Nzbz6OOgwg@mail.gmail.com>
To: Adam Gray <adam@trackif.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Mike West <mike@mikewest.org>, WebAppSec WG <public-webappsec@w3.org>
The note in
meant to address this case. I can't speak for Mozilla, Opera, Safari,
IE, but in Blink, we've taken the position that CSP should not block
extensions. We're certainly not perfect at allowing extensions' activities
in the presence of a page's CSP, but the goal is that extensions should
Just Work.


Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, May 28, 2014 at 4:29 PM, Adam Gray <adam@trackif.com> wrote:

> Thank you for your feedback thus far. I guess my question is fairly
> complex, at least from my newcomer mindset. If all sites enabled strict CSP
> rules blocking any non-sanctioned script injections... Would that basically
> render plugins, bookmarklets, and the like moot?
> Maybe I just don't understand the spec enough.
> Sent from my iPhone
> On May 28, 2014, at 7:19 AM, Mike West <mkwst@google.com> wrote:
> On Wed, May 28, 2014 at 1:08 PM, Anne van Kesteren <annevk@annevk.nl>wrote:
>> I'm not sure I agree with that. If that were true, Chrome would not be
>> trying to move away from NPAPI, Safari would support Flash and other
>> plugins on iOS, etc. We certainly have defined some things around
>> plugins, but they are mostly a black box still and everyone hopes to
>> move away from them just like Apple did.
> Oh, I cannot wait for NPAPI to die. But until it does, we should define
> some things around the outlines of the big black hole they leave in the
> platform.
> I don't like sync XHR either, but that doesn't mean that I don't think it
> should be in the spec if it's widely supported and used.
>> There may be disagreement, but that's the role standards have taken to
>> date. We don't run conformance test suites of standards on browsers
>> plus their myriad of extensions. Or on custom builds of browsers some
>> set of users decided to start using (same as extensions). None of that
>> seems tenable either, so I'm not sure why there would be disagreement.
> I'd agree with you that MUST-level requirements would be both difficult to
> test and to enforce. SHOULD-level recommendations, however, seem quite
> valuable.
> Especially for standards like CSP which have a cross-cutting impact on the
> way websites function, it's important for us to help user agent
> implementers understand the potential impact of the spec on the extension
> systems they've created, and to guide them towards implementations we see
> as correctly balancing potentially competing claims. The "should CSP block
> extensions" discussion and subsequent compromise from a few weeks back is
> an exemplary example of us doing a bad job of that (IMO).
> -mike
Received on Wednesday, 28 May 2014 14:33:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC