Skip to main content [aditude-amp id="stickyleaderboard" targeting='{"env":"staging","page_type":"article","post_id":1626248,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"D"}']

Gmail gets Content Security Policy support to stop extensions from loading unsafe code

@EPro
Gmail

Gmail

Image Credit: Gmail

Google today added support for Content Security Policy (CSP) to Gmail. The security feature protects users by stopping extensions from loading unsafe code.

CSP is a computer security concept for preventing cross-site scripting (XSS) and related attacks. It provides a standard HTTP header that allows website owners to declare approved sources of content that browsers should be allowed to load on a given page (such as JavaScript, CSS, HTML frames, fonts, images, and even embeddable objects like Java applets, ActiveX, audio, and video files).

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1626248,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"D"}']

While there are a variety of decent extensions for Gmail, some can interfere with your session or even compromise your email’s security. This can be done accidentally (meaning simply poor programming) or maliciously (attackers intending to silently gain access to your inbox or redirect content).

Google says that “most popular (and well-behaved) extensions have already been updated to work with the CSP standard.” If your extension stops working in Gmail because of the newly added CSP support, the company recommends installing the extension’s latest version.

AI Weekly

The must-read newsletter for AI and Big Data industry written by Khari Johnson, Kyle Wiggers, and Seth Colaner.

Included with VentureBeat Insider and VentureBeat VIP memberships.

You can update your extension from your browser’s app store (like the Chrome Web Store or Firefox Add-Ons) or directly from the author’s website. If you have many add-ons, extensions, and plugins loaded in your browser, now might be a good time to make sure you need all of them.

Today’s addition of CSP support only applies to the Web version of Gmail. Google didn’t say if and when the company plans to bring it to mobile devices.

While extensions are predominantly for the desktop, the company would be wise to bring the feature to mobile, given how frequently email is consumed on the go, especially in the business world. That’s exactly who this feature is aimed at, but this rollout is for all Gmail users, so everyone is getting the benefit (and in some cases, headache) of having their extensions double checked.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More

Explore

None Business Security