- From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
- Date: Wed, 03 Feb 2016 23:16:35 +0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Wednesday, 3 February 2016 15:17:56 UTC
Hello all, We find that some plugins can modify the content of the HTTP CSP response header or even delete the whole CSP header. In this way, plugins can inject the web contents, and this will introduce some security problems. I searched the archive, this issue was also raised about CSP 1.1 two years ago: https://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html <https://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html> We propose to add some texts in the CSP spec to emphasize that the CSP header must not be modified or deleted by the browser or plugins, to avoid this situation. What do you think? Thanks, Kind Regards Kepeng Li Alibaba Group
Received on Wednesday, 3 February 2016 15:17:56 UTC