ISSUE-41: CSP does not protect against malicious extensions

CSP and malicious extensions

CSP does not protect against malicious extensions

CSP Level 1
Raised by:
Brad Hill
Opened on:
A question arose on the list whether CSP can and should offer against modifications to resources by potentially malicious extensions.

This issue tracks the WG's formal resolution of the issue as out of scope.

In particular, this group follows the priority of constituencies defined in the HTML Design Principles:

According to this, the user's right to install any extension (including malicious ones) and for those extensions to modify resources according to the user's wishes trumps a resource's wishes to remain unmodified.

If a user needs protection from such extensions, this is part of the contract between the user and browser or operating system, not between the user and a resource owner.
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

No additional notes.

Display change log ATOM feed

Daniel Veditz <>, Mike West <>, Chairs, Wendy Seltzer <>, Samuel Weiler <>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 41.html,v 1.1 2020/01/17 08:52:32 carcone Exp $