[Webkit-unassigned] [Bug 149000] Some extensions triggers CSP violation reports
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jan 10 04:07:30 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=149000
Sam Deane <sam at elegantchaos.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sam at elegantchaos.com
--- Comment #3 from Sam Deane <sam at elegantchaos.com> ---
It appears that the spec now says "may" and not "should", so the current behaviour may not violate the letter of the law.
https://github.com/w3c/webappsec/commit/73963d509b20513a6f42b1e0839715aca8b578b0
It does however make it pretty hard (if not impossible) to implement a whole range of useful extensions which of necessity rely on script injection.
It seems sensible to have a mechanism that would allow browsers to exempt extensions (perhaps on a per-extension basis). It then comes down to a matter of user-trust whether to allow each extension full access - which seems to be in keeping with the W3C intent.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180110/5ef50d06/attachment.html>
More information about the webkit-unassigned
mailing list