PSA: If your browser extension modifies the DOM & adds markup with inline event handlers (onclick), your code is bad and you should feel bad
The will of an extension wins over the will of the page per https://www.w3.org/TR/html-design-principles/#priority-of-constituencies … so exts should be exempt from CSP.
-
-
So ideally, yes, the browser should know what was added by an extension and not subject it to the page's CSP policy.
-
But in practice it doesn't work, so extension-added markup with JS event handlers will break both the extn & the page.
-
Pretty broad reading of the W3 spec. Are extensions authors, implementors, specifiers or theoretically pure?
-
Extensions are users because they modify the UA to behave according to the user's wishes.
-
I don't know
@arturjanc... "user's wishes" are more nuanced and includes not making pages they surf vulnerable to xss via injected code.
End of conversation
New conversation -
-
-
Personally I don't like extensions trumping page policy by default. Has anything been done about repurposed extensions?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.