On Sun, Oct 01, 2017 at 12:54:26PM -0700, Luke Crouch wrote:
On Friday, September 29, 2017 at 2:32:57 PM UTC-5, Kris Maglione wrote:
Security & privacy concerns:
This change will allow extensions to inject content into sites which can
(and probably will) cause security and privacy issues. However, it's
already quite easy for malicious or badly-implemented extensions to
create similar issues, and I don't think this change significantly
increases the risk. It may even mitigate it in some cases, since the
alternative of loading or evaling third-party scripts into the content
script sandbox would give them direct access to elevated privileges.
Per the CSP spec, those injections are assumed to be at the user's
behest, and should therefore take priority over the page author's
preferences.
+1 on this part.
As an add-on author, when I need to inject something the page CSP doesn't
allow, I can already over-write the page CSP to allow it. But that feels more
dangerous!
Yes, I'll admit that's one of my motivations. Whenever we try to prevent
extensions from doing things for security or performance reasons, extensions
authors tend to just find another way to do it with worse security and
performance characteristics...
I filed bug 1273281 about preventing extensions from changing security headers
without a special permission, but for now, many extensions still do such
things.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
