W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: new meta tags to protect code visibility or immuatbility

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 24 Feb 2016 00:45:22 -0800
Message-ID: <CADYDTCB8NAFFwZRtXMLUoUGuvTp1Pvtay2TjbX=aUN48F8RLKw@mail.gmail.com>
To: Mitar <mmitar@gmail.com>
Cc: Brad Hill <hillbrad@gmail.com>, Craig Francis <craig.francis@gmail.com>, Ahmed Saleh <ahmedzs@live.ca>, "public-webappsec@w3.org" <public-webappsec@w3.org>
You are indeed trolling. Making bookmarklets and some add-ons work when CSP
is applied is _hard_. They are not broken because CSP-implementing browser
vendors are valuing the page author over the user. We don't know how to
balance a feature that wants random content injection and a feature that is
trying to prevent content injection. Firefox does allow users to disable
CSP entirely if they think it is interfering with their experience (users
win, as the PoC says they should); I wouldn't be surprised if Chrome didn't
also support that as an advanced option.

-Dan Veditz
Received on Wednesday, 24 February 2016 08:45:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC