> I would much rather filter out extraneous CSP violations than have some exploited extension exfiltrate sensitive data
I am not familiar with the architectural framework of browser extensions, but would this already be possible, that is for an extension to read the contents of the page (which it obviously already has access to) but then send that information using a connection that doesn't operate in the same security context as the page that was read?
I mean, browser extension CSP violations are triggered because the extension just basically injects a script into the page. Is it possible for the extension to just filter the page context and make a remote request by some other means?
> Is it possible for the extension to just filter the page context and make a remote request by some other means?
Yes it is. I think what you describe is in fact the preferred way for extensions that need to communicate with a remote service are expected to work, and when implemented that way, the CSP rules (rightly) don't apply.
From what I understood of the article, this alternative way of sending data isn't what they mean by extensions tampering with security headers. The article doesn't go into detail but it would be interesting to see if the header tampering is necessary in all these cases, or if a different approach could work without triggering CSP.
I am not familiar with the architectural framework of browser extensions, but would this already be possible, that is for an extension to read the contents of the page (which it obviously already has access to) but then send that information using a connection that doesn't operate in the same security context as the page that was read?
I mean, browser extension CSP violations are triggered because the extension just basically injects a script into the page. Is it possible for the extension to just filter the page context and make a remote request by some other means?