Re: new meta tags to protect code visibility or immuatbility from Mike West on 2016-02-24 (public-webappsec@w3.org from February 2016)

From: Mike West <mkwst@google.com>
Date: Wed, 24 Feb 2016 10:16:47 +0100
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Mitar <mmitar@gmail.com>, Brad Hill <hillbrad@gmail.com>, Craig Francis <craig.francis@gmail.com>, Ahmed Saleh <ahmedzs@live.ca>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=et+07TqNfodVtKz=oAbEC6og99NuUkps8-ptB9BjocDw@mail.gmail.com>

On Wed, Feb 24, 2016 at 9:45 AM, Daniel Veditz <dveditz@mozilla.com> wrote:

> You are indeed trolling. Making bookmarklets and some add-ons work when
> CSP is applied is _hard_. They are not broken because CSP-implementing
> browser vendors are valuing the page author over the user. We don't know
> how to balance a feature that wants random content injection and a feature
> that is trying to prevent content injection. Firefox does allow users to
> disable CSP entirely if they think it is interfering with their experience
> (users win, as the PoC says they should); I wouldn't be surprised if Chrome
> didn't also support that as an advanced option.
>

Chrome does not support that as an option.

Chrome does, however, do quite a bit of work to allow extensions to bypass
CSP. It's not at all perfect, but it's probably ~80% of the way there. I'd
love to see Firefox follow suit. :)

-mike

Received on Wednesday, 24 February 2016 09:17:39 UTC