ISSUE-17: CSP should take into account extensions which modify content
Extension compat
CSP should take into account extensions which modify content
- State:
- CLOSED
- Product:
- CSP Level 1
- Raised by:
- Brad Hill
- Opened on:
- 2012-09-11
- Description:
- Last Call comment by Fred Andrews:
http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0013.html
The approach the proposal takes fails to take into account extensions run on the client that modify and manipulate the application document. Until there is a comprehensive solution that takes this reality into account this proposal is applicable only to a subset of locked down clients and thus it does not appear worthy of standardization at this stage. - Related Actions Items:
- No related actions
- Related emails:
- No related emails
Related notes:
The specification currently states: Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets.
Any more specific guidance would be non-normative as extension mechanisms are highly specific to user agents. Future versions may add additional guidance as best practices emerge in the implementer community.
Responses to this issue can be found in the following threads: (there are often several replies, so it is suggested to view "Contemporary messages sorted by thread".
http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0048.html
http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0044.html
http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0040.html
The group's decision to close this issue without changing spec behavior was recorded in the minutes to the following teleconferences:
http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-25-Sep-2012.html
http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-23-Oct-2012.html
Display change log
