[Webkit-unassigned] [Bug 149000] Some extensions triggers CSP violation reports

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 10 04:07:30 PST 2018


https://bugs.webkit.org/show_bug.cgi?id=149000

Sam Deane <sam at elegantchaos.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at elegantchaos.com

--- Comment #3 from Sam Deane <sam at elegantchaos.com> ---
It appears that the spec now says "may" and not "should", so the current behaviour may not violate the letter of the law.

https://github.com/w3c/webappsec/commit/73963d509b20513a6f42b1e0839715aca8b578b0

It does however make it pretty hard (if not impossible) to implement a whole range of useful extensions which of necessity rely on script injection.

It seems sensible to have a mechanism that would allow browsers to exempt extensions (perhaps on a per-extension basis). It then comes down to a matter of user-trust whether to allow each extension full access - which seems to be in keeping with the W3C intent.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180110/5ef50d06/attachment.html>


More information about the webkit-unassigned mailing list