Request for clarification on Manifest V3 CSP Header Modifications

207 views
Skip to first unread message

Samuel Maddock

unread,
Jul 18, 2019, 5:09:59 PM7/18/19
to Chromium Extensions
The upcoming Manifest V3 changes include restrictions on header modifications as quoted below:

Header Modification

The extensions team recently added support for a new DNR action called removeHeaders which can remove allowlisted headers from requests. This allowlist currently includes Referer, Cookie, and Set-Cookie headers. We welcome feedback from developers on other headers that should be removable. Removing headers from a request should neither reduce the security of sites (e.g. CSP) nor expose user data.

The extensions team is also planning to add support for static header additions and replacements. Additions would add new headers or extend existing headers. For example, an extension could add additional restrictions to CSP rules or add a new Set-Cookie header. Replacements would behave similar to the removeHeaders action, but rather than removing matching header(s) it would replace the header(s) with the header(s) specified in the rule's action. Again, we welcome developer feedback on this plan.


I'd like to see further clarification on "an extension could add additional restrictions to CSP rules". Which CSP directives does this apply to? An exhaustive list would be appreciated.

Thanks,
Sam

Simeon Vincent

unread,
Jul 18, 2019, 8:43:14 PM7/18/19
to Chromium Extensions
Apologies for the confusion. I believe it's rooted in my misuse of CSP terminology in the section you quoted. Specifically, I should have said "an extension could add additional restrictions by adding additional content security policies" rather than "an extension could add additional restrictions to CSP rules".

Extensions will not be able to modify the policies set by the remote server using the declarativeNetRequest API. Rather, they can add additional policies that further restrict what resources are allowed to load. In order for a resource to load, it must be allowed by all policies in the page's CSP list. Extensions define set as many or as few directives in their policies as they wish. A more detailed explanation of how multiple policies interact can be found in the CSP spec at https://www.w3.org/TR/CSP3/#multiple-policies.

Simeon - @dotproto
Extensions Developer Advocate
Reply all
Reply to author
Forward
0 new messages