- From: Frederik Braun <fbraun@mozilla.com>
- Date: Wed, 3 Feb 2016 17:30:26 +0100
- To: public-webappsec@w3.org
Hi, I don't think this is actually introducing security issues. Content Security Policy is a mechanism of defense in depth. It can prevent a Cross-Site Scripting issue from being exploited, but you still have a Cross-Site Scripting vulnerability in your web page. In that sense, you may see the user with such an add-on just like a user with a browser that does not support CSP. In addition, browser extensions, or add-ons almost always reflect user choice. The W3C considers user choice as a higher priority than those of a content author [1], so it is rather unlikely that such text will find its way into the CSP spec. [1] https://www.w3.org/TR/html-design-principles/#priority-of-constituencies On 03.02.2016 16:16, Kepeng Li wrote: > Hello all, > > We find that some plugins can modify the content of the HTTP CSP > response header or even delete the whole CSP header. In this way, > plugins can inject the web contents, and this will introduce some > security problems. > > I searched the archive, this issue was also raised about CSP 1.1two > years ago: > https://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html > > We propose to add some texts in the CSP spec to emphasize that the CSP > header must not be modified or deleted by the browser or plugins, to > avoid this situation. > > What do you think? > > Thanks, > > Kind Regards > > Kepeng Li > Alibaba Group > > > _ > _ > _ > _
Received on Wednesday, 3 February 2016 16:30:58 UTC