Bugzilla

And now that I've looked at the GH issue I see that you've already run this code from Gusted so I guess it's safe?

And now that I've looked at the GH issue I see that you've already run this code from Gusted so I guess it's safe?

The node script is 7 lines -- that's small enough to see that it's safe. when the GH issue talked about "hardened" sites I imagined lots of impenetrable library code.  I'm going to delete my previous comment because I missed the point entirely. _both_ injections are into the <head>. Both should be allowed because it's an extension doing the injecting. The difference is that one _IS_ empty in the sense I thought you meant originally. It shouldn't matter, but it does. (Is it empty, or is it an initialization problem? if we explicitly set `textContent = "";`, which should be the default, does the error go away?)

Why would an empty or uninitialized textContent even matter? CSP shouldn't care _what_ is in the node; decisions are made based on where it is (in this case "inline") and who created it (an extension, not limited by the page's CSP), not what's in it.