W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2017

Re: Security headers and browser extensions

From: Craig Francis <craig.francis@gmail.com>
Date: Tue, 17 Jan 2017 13:24:48 +0000
Message-Id: <709AF25B-229C-49FD-939C-7B2B3DFE89C4@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
To: Scott Helme <scotthelme@hotmail.com>
Hi Scott,

While I'm in the same position as you (I build websites, and want to secure them as much as possible), the extension itself is something that the user installed (in theory), and they should be allowed to do whatever they like (the user is in control).

This does annoy me from the security point of view (the extension can be stealing all kinds of data), but if the extension is malicious, it has already compromised the computer, so there isn't much you can do :-(

The reason it's like this is because many extensions are installed by the user for a reason, and that reason may be as simple as improving the accessibility of the website (even if that's an ad blocker).

So when I change my focus to the browser extension I created, one that helps people block animations (i.e. to make reading pages easier), it does this by simply taking a screenshot and overlays it over the page, the websites owner shouldn't stop the user from having this level of control.

Hope that helps,


> On 17 Jan 2017, at 12:40, Scott Helme <scotthelme@hotmail.com> wrote:
> Hey everyone,
> I wanted to bring up a question about security headers and the powers that extensions have to modify them. 
> I run a free CSP reporting service and as a result work with a large amount of organisations on deploying and monitoring CSP in the wild. On many occasions over the last year I've seen some odd behaviour where items have been blocked that simply didn't exist on the page or entries in a policy that the host didn't insert. These have been tracked back to malicious extensions and sometimes even adware/malware on the endpoint. 
> In the early days an extension would just blindly insert into the DOM and cause a CSP violation as the source of the script/image/asset wasn't whitelisted. I've used these reports to track the rise and fall of malicious extensions. More recently I've worked with a few companies that are receiving CSP reports that contain whitelisted hosts that they didn't put there. After investigation it turns out that extensions that want to do naughty things will now whitelist their origins in a CSP if one is present. How thoughtful of them! This got me thinking about whether or not an extension should be able to modify a security policy delivered by the host, should the browser protect them?
> This could also extend further beyond CSP too. An extension could strip out HSTS, HPKP, XXP etc... Thoughts and input welcome! 
> Regards, 
> Scott Helme / Information Security Consultant
> PGP Key <https://scotthelme.co.uk/contact/>
> https://scotthelme.co.uk <https://scotthelme.co.uk/>
> https://report-uri.io <https://report-uri.io/>
> https://securityheaders.io <https://securityheaders.io/>
> https://scotthel.me <https://scotthel.me/>
> <twitter.png> <https://twitter.com/Scott_Helme><facebook.png> <https://www.facebook.com/scott.helme><googleplus.png> <https://plus.google.com/+ScottHelme/posts><youtube.png> <https://www.youtube.com/user/ScottHelme><linkedin.png> <https://uk.linkedin.com/in/scotthelme><github.png> <https://github.com/ScottHelme/><skype.png> <x-msg://152/scott.helme87>

Received on Tuesday, 17 January 2017 13:25:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:59 UTC