My favorites | Sign in
Project Home Downloads Wiki Issues
New issue   Search
for
  Advanced search   Search tips
Issue 105796: Enable CSP for extensions by default
6 people starred this issue and may be notified of changes. Back to list
 
Reported by project member aba...@chromium.org, Nov 29, 2011 
Feature description:

Improve the security of the extension system by enabling Content-Security-Policy by default.  Our plan is to introduce a manifest_version attribute to the manifest and trigger this behavior on manifest_version>=2.

Eng owner: abarth

Expected date landing on trunk: Dec 9, 2011

Any new strings? No.

Any implications for Google webservices (i.e. sync, translate)? No.

*Note: submitting this issue will send email to cross-functional reviewers
for launch approval. Please be sure to update the labels below.
Comment 1 by aba...@chromium.org, Nov 29, 2011 
(No comment was entered for this change.)
Labels: -Restrict-View-Commit
Comment 2 by jeffreyc@google.com, Nov 29, 2011 
(No comment was entered for this change.)
Cc: nepper@chromium.org
Comment 3 by nepper@chromium.org, Dec 6, 2011 
(No comment was entered for this change.)
Cc: jhurw...@chromium.org
Comment 4 by aba...@chromium.org, Dec 12, 2011 
Technically it won't be on the dev channel until the dev channel updates to M18, but close enough for government work.
Labels: -Dev-Status-WIP Dev-Status-OnDev
Comment 5 by a...@chromium.org, Dec 13, 2011 
(No comment was entered for this change.)
Blockedon: 107402
Comment 6 by jeffreyc@google.com, Jan 12, 2012 
hey there,

It's time to think about whether this feature is ready to ship in M18. Is it enabled-by-default on trunk yet?

The M18 branch point is on Jan 30, or just slightly over two weeks from now. Would you still like to target this for M18? (Please adjust the Mstone- label accordingly)

We expect M18 to be a relatively light release, given the holidays.

thanks,
Jeff
Comment 7 by aba...@chromium.org, Jan 12, 2012 
This feature is going to take a few cycles to fully land because we want all the pieces in place on the stable channel so we don't end up confusing extension developers.  All the pieces we've planned for M18 are in place and enabled on trunk.
Comment 8 by jeffreyc@google.com, Jan 24, 2012 
Re: comment #7 -- Does that mean the behavior is changing in M18? Or no?
Comment 9 by a...@chromium.org, Jan 24, 2012 
It means that developers can specify manifest_version=2 in m18 and it will result in changed behavior. But that we aren't marketing this feature until m18 is in the stable channel.
Comment 10 by tse...@chromium.org, Jan 25, 2012 
(No comment was entered for this change.)
Cc: tse...@chromium.org
Comment 11 by nepper@chromium.org, Jan 27, 2012 
as per mkwst's privacy review.
Labels: -Dev-PrivacyReview-No Dev-PrivacyReview-Yes
Comment 12 by jeffreyc@google.com, Jan 27, 2012 
Reviewed w/ Linus and the TPMs today; we are a Go for M18.
Comment 13 by jeffreyc@google.com, Jan 31, 2012 
discussed w/ mcginty@ and steng@
Labels: -Dev-LegalReview-No Dev-LegalReview-Yes
Comment 14 by jeffreyc@google.com, Feb 3, 2012 
(No comment was entered for this change.)
Labels: -Dev-SREReview-No Dev-SREReview-NA
Comment 15 by jeffreyc@google.com, Feb 3, 2012 
(No comment was entered for this change.)
Labels: -Dev-MarketingReview-No Dev-MarketingReview-NA
Comment 16 by jeffreyc@google.com, Feb 3, 2012 
(No comment was entered for this change.)
Labels: -Dev-UIReview-No -Dev-StringsReviewed-No Dev-UIReview-NA Dev-StringsReviewed-NA
Comment 17 by jeffreyc@google.com, Feb 3, 2012 
(No comment was entered for this change.)
Labels: -Dev-AccessibilityReview-No Dev-AccessibilityReview-NA
Comment 18 by arn...@chromium.org, Feb 10, 2012 
(No comment was entered for this change.)
Labels: -Dev-ConopsReview-No Dev-ConopsReview-Yes
Sign in to add a comment

Powered by Google Project Hosting