Gmail Now Protects Your Inbox From Malevolent Extensions

A popular service like Gmail inevitably becomes a target for hackers. Over the years, Google has made quite a few security improvements, such as requiring HTTPS connections to prevent others from getting access to your email. Today the company announced that it has implemented support for Content Security Policy (CSP) to prevent cross-site scripting attacks and malevolent browser plug-ins from messing with your inbox and (potentially) stealing your data.

Content Security Policy in the way Google has implemented it is a blacklist/whitelist system for stopping sites from loading unsafe code from third-party sites and preventing cross-site scripting attacks. It uses the HTTP header to instruct the browser to only execute and render code from trusted sites. So if an attacker tries to trick the site into loading any other code, the site will simply throw an error.


Google notes that most popular extensions for Gmail have already been updated and should continue to work as usual. In case one of your favorite extensions in Chrome or Firefox stops working, though, Google recommends updating to the latest version.

Chrome, Firefox and Safari currently support CSP. Microsoft’s Internet Explorer only has limited support for an older version of it.