Re: Security headers and browser extensions from Dolière Francis SOME on 2017-01-17 (public-webappsec@w3.org from January 2017)

From: Dolière Francis SOME <doliere.some@inria.fr>
Date: Tue, 17 Jan 2017 14:20:35 +0100 (CET)
To: Scott Helme <scotthelme@hotmail.com>
Cc: public-webappsec@w3.org
Message-ID: <438551977.6085276.1484659235311.JavaMail.zimbra@inria.fr>

Hi Scott, 

Just to point you to a study related to what you are describing. Maybe you are aware of it. 
Anyway, it is a paper `May I? - Content Security Policy Endorsement for Browser Extensions` by Daniel Hausknecht , Jonas Magazinius and Andrei Sabelfeld 

Best, 
Dolière Francis SOME 
PhD Candidate / Security and Privacy in Web Applications 

----- Original Message -----

> From: "Scott Helme" <scotthelme@hotmail.com>
> To: public-webappsec@w3.org
> Sent: Tuesday, January 17, 2017 1:40:18 PM
> Subject: Security headers and browser extensions

> Hey everyone,

> I wanted to bring up a question about security headers and the powers that
> extensions have to modify them.

> I run a free CSP reporting service and as a result work with a large amount
> of organisations on deploying and monitoring CSP in the wild. On many
> occasions over the last year I've seen some odd behaviour where items have
> been blocked that simply didn't exist on the page or entries in a policy
> that the host didn't insert. These have been tracked back to malicious
> extensions and sometimes even adware/malware on the endpoint.

> In the early days an extension would just blindly insert into the DOM and
> cause a CSP violation as the source of the script/image/asset wasn't
> whitelisted. I've used these reports to track the rise and fall of malicious
> extensions. More recently I've worked with a few companies that are
> receiving CSP reports that contain whitelisted hosts that they didn't put
> there. After investigation it turns out that extensions that want to do
> naughty things will now whitelist their origins in a CSP if one is present.
> How thoughtful of them! This got me thinking about whether or not an
> extension should be able to modify a security policy delivered by the host,
> should the browser protect them?

> This could also extend further beyond CSP too. An extension could strip out
> HSTS, HPKP, XXP etc... Thoughts and input welcome!

> Regards,

> Scott Helme / Information Security Consultant
> PGP Key

> https://scotthelme.co.uk
> https://report-uri.io
> https://securityheaders.io
> https://scotthel.me

Received on Tuesday, 17 January 2017 13:21:45 UTC