On Thursday, June 5, 2014 5:50:23 PM UTC+2, Boris Zbarsky wrote: > The CSP implementation should be using protocol flags here instead of > hardcoding (and if it's not, bugs should be filed). And then your > protocol can set the relevant flags.
I'll confirm (going to dive deeper into the CSP code today) and file bugs as appropriate. On Friday, June 6, 2014 2:06:48 AM UTC+2, Daniel Veditz wrote: > CSP should be doing that (it's not) and while that may solve your > specific problem it leaves the more common case unaddressed. If a user > has installed an addon that creates mashups (injects flickr images > maybe, or maps?) the user wants to see that content even if the page's > CSP is not expecting it. We need a more generic way to specify minimum > required CSP overrides than just "anywhere my protocol appears". > Depending on the protocol that could just as easily reintroduce the XSS > problems CSP is trying to prevent. Currently Firefox extensions can do many dangerous things, and it is a big philosophical question whether the resulting flexibility is worth the extra security risk (I feel strongly that it is). As things stand, it should be possible for responsible extensions such as ours (we implement our own nsIContentPolicy for our protocol) to do things like inject CSS into pages. Chrome's framework is much more restrictive and it allows this since their chrome-extension: protocol is whitelisted. Matt _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
