Closed Bug 1267291 Opened 5 years ago Closed 5 years ago

Webextensions Content Script CSP Page Policy Issue


(WebExtensions :: Untriaged, defect)

48 Branch
Not set


(Not tracked)



(Reporter: jshackles, Unassigned)


User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160425030548

Steps to reproduce:

The CSP of the page should not apply to content scripts loaded via WebExtensions.  See - specifically "Additionally, the CSP of the page does not apply to content scripts."

For example, in my extension I load external data from my API servers via content scripts (Jquery $.ajax in JavaScript).  For pages on the site the extension loads on with no CSP policy set, the $.ajax command works fine and returns the correct data.

Actual results:

However, on pages that have specified a CSP, I get the following error in the console when loading those pages while the WebExtension addon is running:

Content Security Policy: The page's settings blocked the loading of a resource at ("connect-src").

Expected results:

These $.ajax requests should return the information from my API server, similar to how it currently functions on pages with no CSP set.  This should be done for further compatibility with Chrome extensions such as mine, but also because the site should not be able to dictate which pages/scripts/etc are loaded from an addon.  In this case, the host server (in my case, Valve's Steam servers) could set a CSP on all pages and prevent WebExtensions from loading content dynamically, making many of the features of my addon break.

In Chrome, these requests are still subject to the browser's cross-origin restrictions.
Component: Untriaged → WebExtensions
Product: Firefox → Toolkit
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1267027
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.