ISSUE-41: CSP does not protect against malicious extensions

CSP and malicious extensions

CSP does not protect against malicious extensions

State:
CLOSED
Product:
CSP Level 1
Raised by:
Brad Hill
Opened on:
2012-12-19
Description:
A question arose on the list whether CSP can and should offer against modifications to resources by potentially malicious extensions.

http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0089.html

This issue tracks the WG's formal resolution of the issue as out of scope.

In particular, this group follows the priority of constituencies defined in the HTML Design Principles: http://www.w3.org/TR/html-design-principles/

According to this, the user's right to install any extension (including malicious ones) and for those extensions to modify resources according to the user's wishes trumps a resource's wishes to remain unmodified.

If a user needs protection from such extensions, this is part of the contract between the user and browser or operating system, not between the user and a resource owner.
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

No additional notes.

Display change log ATOM feed

Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 41.html,v 1.1 2020/01/17 08:52:32 carcone Exp $