Is disabling CSP headers on a site goes against chrome webstore policies?

[Adnan Khan]

I'm reading some articles and people complaining that some extensions are disabling CSP headers entirely(which is definitely wrong) and now this makes me wonder if Chrome has revised their policies regarding usage of `declarativeNetRequest` to remove CSP headers from incoming responses?


My extension relies on removing it for certain site on specific tab for specific domain(to reduce the risk to maximum) and I am not able to find any policy document to see what I am doing is right or wrong. (I may need to remove CSP for certain sites to load iframes as there is no way to load iframes in it or execute scripts in page context)

If anyone can give more insights on this, would be really helpful.

Thanks!

[Patrick Kettner]

It is allowed, as long as it is clearly expressed to the user that it is the intended behavior of the extension.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/03165c94-d0a6-418c-96ee-8598a250c1cbn%40chromium.org.

[Adnan Khan]

So disabling of CSP headers only take place when user clicks a specific icon on our main website from there user knows that what extension is doing (kinda automatic, its a scanner type extension).
But definitely, we might not show any popup to user that we are disabling CSP as to achieve the task (when user clicked the vendor on our main website) we need to do it, is that ok as well?

[Patrick Kettner]

Can’t approve anything than the actual submitted extension, but the point is that it’s not secretly doing something that is unclear to end users.