ISSUE-41: CSP does not protect against malicious extensions
CSP and malicious extensions
CSP does not protect against malicious extensions
- State:
- CLOSED
- Product:
- CSP Level 1
- Raised by:
- Brad Hill
- Opened on:
- 2012-12-19
- Description:
- A question arose on the list whether CSP can and should offer against modifications to resources by potentially malicious extensions.
http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0089.html
This issue tracks the WG's formal resolution of the issue as out of scope.
In particular, this group follows the priority of constituencies defined in the HTML Design Principles: http://www.w3.org/TR/html-design-principles/
According to this, the user's right to install any extension (including malicious ones) and for those extensions to modify resources according to the user's wishes trumps a resource's wishes to remain unmodified.
If a user needs protection from such extensions, this is part of the contract between the user and browser or operating system, not between the user and a resource owner. - Related Actions Items:
- No related actions
- Related emails:
- No related emails
Related notes:
No additional notes.
Display change log