Closed Bug 1294727 Opened 8 years ago Closed 8 years ago

Web Extension: content_security_policy is not honored for remote scripts in background page

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Version:
50 Branch
Platform:
x86_64
Windows 10
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: skfriese, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce:

As noted here: https://discourse.mozilla-community.org/t/web-extension-cannot-load-jquery-into-background-page-due-to-csp/10239/12

Trying to retrofit our working chrome web extension to work in Firefox (Development Edition v50.0a2). 

Using a background HTML page specified in the manifest like so:

"background": {
    "page": "background.html",
    "persistent": false
  },

When a page has completed loading in Firefox, the extension initializes itself. The first time, it will perform a request to a remote URL and place the response (JS) in a script tag in the head of the background page.

The following loads the remote script into the head.
var scriptTag = document.createElement("script");
  scriptTag.setAttribute("type", "text/javascript");
  scriptTag.setAttribute("src", [REMOTE URL]);
  document.head.appendChild(scriptTag);

This script runs in the "background.js" file, which is also included in the "background.html" page like so.
<script src="./background.js"></script>

This *should* be possible, as noted here:
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Content_Security_Policy

"...use the content_security_policy key to allow the remote origin you need."

Again, this is all functioning as expected in Chrome with the proper CSP key defined in the extension's manifest.




Actual results:

It appears that the "content_security_policy" key in the manifest is completely ignored. Once we were able to move past the original issue with jQuery, we are still met with scripts being blocked from remote sources, even though the URLs are being served over HTTPS, and are included in the "content_security_policy" key in the manifest.

Our CSP key, the contents of which should be displayed in the error, if not properly defined:

"content_security_policy": "script-src 'self' 'unsafe-eval' blob: filesystem: moz-extension: https://127.0.0.1:44301 https://127.0.0.1:44302; object-src 'self' moz-extension: https://127.0.0.1:44301; child-src 'self' https://127.0.0.1:44301 https://127.0.0.1:44302; connect-src 'self' https://127.0.0.1:44301 https://127.0.0.1:44302;",

Firefox blocks the following script tag source from loading in the background page:

https://127.0.0.1:44301/1/Home/InitializeExtension/XXXXXXXX-5913-4a15-9b9e-17fc789e08d3

It shows this as being the CSP that blocked it (looks nothing like ours):

(“script-src moz-extension://XXXXXXXX-2e95-43be-976a-1d67236b301a”)


Expected results:

Firefox should honor the policy included in the "content_security_policy" key in the manifest, and allow the web extension to load a script from a remote location, which includes settings, etc. and details about the authenticated user, such as claims.
Severity: normal → blocker
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
Component: Untriaged → WebExtensions
Product: Firefox → Toolkit
Your content policy string is being rejected because you're trying to use the moz-extension: scheme without a host.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
"...you're trying to use the moz-extension: scheme without a host."

I can confirm that removing this from the CSP resolves the issue. Thank you for your time.
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.