content-security-policy allows ginger extension to load content

StackOverflow https://stackoverflow.com/questions/19808227

  •  04-07-2022
  •  | 
  •  

Question

when I install this ginger extension on chrome: https://chrome.google.com/webstore/detail/spell-and-grammar-checker/kdfieneakcjfaiglcfcgkidlkmlijjnh?utm_source=chrome-ntp-icon

and I view my page: http://start.funmoods.com/results.php?q=hotel.com&a=undefined&category=web&start=1&fc=br

as you can see in the top when "ginger" extension is on, the page is lowered.

do you know why does my csp allowed ginger to load its html?

here are my csp headers:

you can view them by yourself in chrome developer box

Cache-Control:no-cache, must-revalidate Connection:keep-alive Content-Encoding:gzip Content-Security-Policy:default-src ; script-src 'self' http://www.google-analytics.com http://suggest.infospace.com http://api.autocompleteplus.com http://www.googletagservices.com http://d.yimg.com https://completr.appspot.com; frame-src 'self' http://.yhs4.search.yahoo.com http://ad.adserver-pro.net; font-src 'none' ; connect-src 'self'; media-src 'self'; object-src 'none'; style-src 'self' ; Content-Type:text/html Date:Wed, 06 Nov 2013 09:22:47 GMT Expires:Sat, 26 Jul 1997 05:00:00 GMT Server:nginx Set-Cookie:fm=YT11bmRlZmluZWQmdXJlZj0mY2Q9JmNyPSY%3D; expires=Fri, 06-Dec-2013 09:22:47 GMT Set-Cookie:rs=WyJiYXIgcmVmYWVsaSIsImFzZGFzZCBhc2RhcyBkYXNkYXNkYXNhc2Rhc2QiLCJhc2Rhc2QgYXNkYXMgZGFzZGFzZGFzYXNkYXNkIGFzZCBzYSB6eGN2IGRnaCBydCBmc2RhZiBhc2RnIGFnIHNkZmdhc2ZnIiwiYXNkYXNkIGFzZGFzIGRhc2Rhc2Rhc2FzZGFzZCBhc2Qgc2EgenhjdiBkZ2ggcnQgZnNkYWYgYXNkZyBhZyBzZGZnYXNmZyBhcyBnZmpramJrb3BnIGZnamtsO2RmamdydGVyIiwiYXNkYXNkIGFzZGFzIGRhc2Rhc2Rhc2FzZGFzZCBhc2Qgc2EgenhjdiBkZ2ggcnQgZnNkYWYgYXNkZyBhZyBzZGZnYXNmZyBhcyBnZmpramJrb3BnIGZnamtsO2RmamdydGVyIHZiY2J4aHl0dXl1aXJ0aXlydGlvZXIiLCIhQCQlQCNAIyQlIyReIiwiaG90ZWwiLCJob3RlbC5jb20iXQ%3D%3D; expires=Tue, 27-Oct-2015 09:22:47 GMT Transfer-Encoding:chunked X-Content-Security-Policy:default-src ; script-src 'self' http://www.google-analytics.com http://suggest.infospace.com http://api.autocompleteplus.com http://www.googletagservices.com http://d.yimg.com https://completr.appspot.com; frame-src 'self' http://.yhs4.search.yahoo.com http://ad.adserver-pro.net; font-src 'none' ; connect-src 'self'; media-src 'self'; object-src 'none'; style-src 'self' ; X-WebKit-CSP:default-src ; script-src 'self' http://www.google-analytics.com http://suggest.infospace.com http://api.autocompleteplus.com http://www.googletagservices.com http://d.yimg.com https://completr.appspot.com; frame-src 'self' http://.yhs4.search.yahoo.com http://ad.adserver-pro.net; font-src 'none' ; connect-src 'self'; media-src 'self'; object-src 'none'; style-src 'self' ;

Was it helpful?

Solution

In short: Because that's not what the CSP does.

According to the CSP Processing Model, CSP should not interfere with the operation of browser add-ons or extensions installed by the user. This feature of CSP effectively allows any add-on or extension to inject script into web sites, regardless of the origin of that script, and thus be exempt to CSP policies. The W3C Web Application Security Working Group considers such script to be part of the Trusted Computing Base implemented by the browser; however, some consider this exemption to be a potential security hole that could be exploited by malicious or compromised add-ons or extensions.

http://en.wikipedia.org/wiki/Content_Security_Policy

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top