Re: new meta tags to protect code visibility or immuatbility from Daniel Veditz on 2016-02-24 (public-webappsec@w3.org from February 2016)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 24 Feb 2016 00:45:22 -0800
To: Mitar <mmitar@gmail.com>
Cc: Brad Hill <hillbrad@gmail.com>, Craig Francis <craig.francis@gmail.com>, Ahmed Saleh <ahmedzs@live.ca>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADYDTCB8NAFFwZRtXMLUoUGuvTp1Pvtay2TjbX=aUN48F8RLKw@mail.gmail.com>

You are indeed trolling. Making bookmarklets and some add-ons work when CSP
is applied is _hard_. They are not broken because CSP-implementing browser
vendors are valuing the page author over the user. We don't know how to
balance a feature that wants random content injection and a feature that is
trying to prevent content injection. Firefox does allow users to disable
CSP entirely if they think it is interfering with their experience (users
win, as the PoC says they should); I wouldn't be surprised if Chrome didn't
also support that as an advanced option.

-Dan Veditz

Received on Wednesday, 24 February 2016 08:45:55 UTC