From yesterday's reports of a WordPress attack caused by a third-party plugin, Google has now taken security for their own email client, Gmail, to a whole new level.
According to Gmail's latest blog post, their desktop web client has just been made more secure by introducing Content Security Policy (CSP). For those who are unaware of the concept, it is a concept designed to prevent cross-site scripting (XSS) and other related attacks. In simpler and clearer words, this prevents sites from loading code that may possibly be unsafe or malicious that are coming from third party sites. In Gmail's case, add-ons and extensions, that may be used for privacy breaching for its users, are concerned with this issue. Google has stated in the blog post:
There are many great extensions for Gmail. Unfortunately, there are also some extensions that behave badly, loading code which interferes with your Gmail session, or malware which compromises your email’s security. Gmail’s CSP protects you, by stopping these extensions from loading unsafe code.
They have also noted that the "most behaved" and most popular Gmail extensions have been updated to the new CSP standard. However, in the case that any of your favorite extensions have suddenly stopped working, Google recommends an update to the latest version of that certain plugin.
This will mean a safer and more private Gmail experience for every one of its users. Last June, in a battle against email snooping by the National Security Agency (NSA), Google made fun of the organization by including an Easter egg found in an email encryption plugin. However, the search engine giant itself landed in hot water after reports were released stating that they scan its users' emails to target them with ads.
Source: Official Gmail Blog