W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: CSP header protection

From: Frederik Braun <fbraun@mozilla.com>
Date: Wed, 3 Feb 2016 17:30:26 +0100
To: public-webappsec@w3.org
Message-ID: <56B22B22.9060807@mozilla.com>

I don't think this is actually introducing security issues. Content
Security Policy is a mechanism of defense in depth. It can prevent a
Cross-Site Scripting issue from being exploited, but you still have a
Cross-Site Scripting vulnerability in your web page.
In that sense, you may see the user with such an add-on just like a user
with a browser that does not support CSP.

In addition, browser extensions, or add-ons almost always reflect user
choice. The W3C considers user choice as a higher priority than those of
a content author [1], so it is rather unlikely that such text will find
its way into the CSP spec.

[1] https://www.w3.org/TR/html-design-principles/#priority-of-constituencies

On 03.02.2016 16:16, Kepeng Li wrote:
> Hello all,
> We find that some plugins can modify the content of the HTTP CSP
> response header or even delete the whole CSP header. In this way,
> plugins can inject the web contents, and this will introduce some
> security problems.
> I searched the archive, this issue was also raised about CSP 1.1two
> years ago:
> https://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html
> We propose to add some texts in the CSP spec to emphasize that the CSP
> header must not be modified or deleted by the browser or plugins, to
> avoid this situation.
> What do you think?
> Thanks,
> Kind Regards
> Kepeng Li
> Alibaba Group
> _
> _
> _
> _
Received on Wednesday, 3 February 2016 16:30:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC