Note that per the CSP spec, browser extensions should NOT be affected by CSP. The fact that they are in browsers is technically a bug, caused by the fact that once you've injected stuff into a page browsers don't so much track where it came from...
This does mean that currently CSP can stop various malware-ish extensions, but also that it stops legitimate ones (e.g. say an extension wants to apply a certain font that the user finds more readable to the entire page). It's a tough tradeoff.
This does mean that currently CSP can stop various malware-ish extensions, but also that it stops legitimate ones (e.g. say an extension wants to apply a certain font that the user finds more readable to the entire page). It's a tough tradeoff.