ISSUE-17: CSP should take into account extensions which modify content

Extension compat

CSP should take into account extensions which modify content

CSP Level 1
Raised by:
Brad Hill
Opened on:
Last Call comment by Fred Andrews:

The approach the proposal takes fails to take into account extensions run on the client that modify and manipulate the application document. Until there is a comprehensive solution that takes this reality into account this proposal is applicable only to a subset of locked down clients and thus it does not appear worthy of standardization at this stage.
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

The specification currently states: Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets.

Any more specific guidance would be non-normative as extension mechanisms are highly specific to user agents. Future versions may add additional guidance as best practices emerge in the implementer community.

Brad Hill, 11 Sep 2012, 21:18:35

Responses to this issue can be found in the following threads: (there are often several replies, so it is suggested to view "Contemporary messages sorted by thread".

The group's decision to close this issue without changing spec behavior was recorded in the minutes to the following teleconferences:

Brad Hill, 26 Oct 2012, 20:39:16

Display change log ATOM feed

Daniel Veditz <>, Mike West <>, Chairs, Wendy Seltzer <>, Samuel Weiler <>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 17.html,v 1.1 2020/01/17 08:52:22 carcone Exp $