Opened 8 years ago

Closed 6 years ago

#5566 closed enhancement (fixed)

[CHROME] One magic flag to hardening CRX and prevent CSP abuse - {"manifest_version": 2}

Reported by: jaedo Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Since Google Chrome 18 stable released, it's preferably to use "manifest_version": 2 in manifest.json because Content Security Policy by default is too weakly.

At least it possible to detect chrome extension by requesting crx resources via internal protocol.

That's the demo it can detect that I have HTTPS Everywhere installed.

And more about CSP in point of chrome extensions found here

Child Tickets

Change History (7)

comment:1 Changed 8 years ago by jaedo

Component: - Select a componentEFF-HTTPS Everywhere
Owner: set to pde

Ofcourse its about HTTPS Everywhere, cant find how to edit ticket and set correct component. I very sorry.

comment:2 Changed 8 years ago by rransom

Component: EFF-HTTPS EverywhereHTTPS Everywhere: Chrome

comment:3 Changed 8 years ago by pde

We could accept a patch that implements manifest version 2 along with a good Content Security Policy!

Note that there are probably a lot of ways for a website to detect that the client has HTTPS Everywhere installed, and I doubt it will ever be possible to prevent that.

comment:4 Changed 8 years ago by rransom

Why would you care about preventing websites from detecting that HTTPS Everywhere is installed?

comment:6 Changed 8 years ago by pde

Component: HTTPS Everywhere: ChromeEFF-HTTPS Everywhere
Summary: One magic flag to hardening Chrome CRX and prevent CSP abuse - {"manifest_version": 2}[CHROME] One magic flag to hardening CRX and prevent CSP abuse - {"manifest_version": 2}

comment:7 Changed 6 years ago by zyan

Resolution: fixed
Status: newclosed

Closing this because Nick Semenkovich writes:
You can close that ticket. Chrome now requires manifest version 2
(which we're using:

Manifest V2 sets a default CSP of: script-src 'self'; object-src
'self' (

Yay! Go us!

Since we're crazy-paranoid, I'll make a pull request for an even more
aggressive CSP (like default-src: none, that we then override).

Note: See TracTickets for help on using tickets.