Hey everyone,
I wanted to bring up a question about security headers and the powers that extensions have to modify them.
I run a free CSP reporting service and as a result work with a large amount of organisations on deploying and monitoring CSP in the wild. On many occasions over the last year I've seen some odd behaviour where items have been blocked that simply didn't exist on the page or entries in a policy that the host didn't insert. These have been tracked back to malicious extensions and sometimes even adware/malware on the endpoint.
In the early days an extension would just blindly insert into the DOM and cause a CSP violation as the source of the script/image/asset wasn't whitelisted. I've used these reports to track the rise and fall of malicious extensions. More recently I've worked with a few companies that are receiving CSP reports that contain whitelisted hosts that they didn't put there. After investigation it turns out that extensions that want to do naughty things will now whitelist their origins in a CSP if one is present. How thoughtful of them! This got me thinking about whether or not an extension should be able to modify a security policy delivered by the host, should the browser protect them?
This could also extend further beyond CSP too. An extension could strip out HSTS, HPKP, XXP etc... Thoughts and input welcome!
Regards,
Scott Helme / Information Security Consultant
PGP Key<https://scotthelme.co.uk/contact/>
https://scotthelme.co.uk
https://report-uri.io
https://securityheaders.io
https://scotthel.me
[Twitter]<https://twitter.com/Scott_Helme>[Facebook]<https://www.facebook.com/scott.helme>[GooglePlus]<https://plus.google.com/+ScottHelme/posts>[YouTube]<https://www.youtube.com/user/ScottHelme>[LinkedIn]<https://uk.linkedin.com/in/scotthelme>[GitHub]<https://github.com/ScottHelme/>[Skype]<scott.helme87>
