Google bakes W3C malware-buster into Gmail
Content Security Policy standard means non-complying extensions SHALL NOT PASS!
If an online service offers even the slightest gap through which miscreants can launch an attack, they will do so. It's therefore not surprising that Google feels some extensions to its Gmail service may not be entirely friendly to users.
The effect of doing so is simple: Gmail extensions that aren't CSP-compliant won't work any more as Google's adoption of the standard means unapproved code won't load into a browser.
Google warns adopting CSP may mean a few hiccups for users running extensions that comply, but haven't yet updated to reflect that fact. But the company also feels adopting CSP is a worthy security improvement. ®