Bug 1706787 Comment 5 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

And now that I've looked at the GH issue I see that you've already run this code from Gusted so I guess it's safe?
And now that I've looked at the GH issue I see that you've already run this code from Gusted so I guess it's safe?

The node script is 7 lines -- that's small enough to see that it's safe. when the GH issue talked about "hardened" sites I imagined lots of impenetrable library code.  I'm going to delete my previous comment because I missed the point entirely. _both_ injections are into the <head>. Both should be allowed because it's an extension doing the injecting. The difference is that one _IS_ empty in the sense I thought you meant originally. It shouldn't matter, but it does. (Is it empty, or is it an initialization problem? if we explicitly set `textContent = "";`, which should be the default, does the error go away?)

Why would an empty or uninitialized textContent even matter? CSP shouldn't care _what_ is in the node; decisions are made based on where it is (in this case "inline") and who created it (an extension, not limited by the page's CSP), not what's in it.

Back to Bug 1706787 Comment 5