PSA: If your browser extension modifies the DOM & adds markup with inline event handlers (onclick), your code is bad and you should feel bad
They can run code by injecting scripts, the UA knows which scripts are extension-inserted. But JS event handlers just break.
-
-
FWIW if the browser could track the source of all scripts/event handlers it wouldn't be a problem. But in practice it doesn't
-
Are you saying some kind of extension code taint tracking could allow warnings/blocks/reports to be silenced?
-
The will of an extension wins over the will of the page per https://www.w3.org/TR/html-design-principles/#priority-of-constituencies … so exts should be exempt from CSP.
-
So ideally, yes, the browser should know what was added by an extension and not subject it to the page's CSP policy.
-
But in practice it doesn't work, so extension-added markup with JS event handlers will break both the extn & the page.
-
Pretty broad reading of the W3 spec. Are extensions authors, implementors, specifiers or theoretically pure?
-
Extensions are users because they modify the UA to behave according to the user's wishes.
-
I don't know
@arturjanc... "user's wishes" are more nuanced and includes not making pages they surf vulnerable to xss via injected code.
End of conversation
New conversation -
-
-
I'm not sure I follow what your suggested solution is.
-
Browsers should allow extension-added scripts to run. Extension authors can inject scripts, but not add inline event handlers
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.