Open Bug 1294996 Opened 3 years ago Updated 4 months ago

Ignore CSP for blob URIs with moz-extension origin


(WebExtensions :: Request Handling, defect, P3)



(Not tracked)



(Reporter:, Unassigned)


(Blocks 1 open bug)


(Whiteboard: triaged)

In response to bug 1267027 comment 9

> It would be much easier to just treat blobs with moz-extension: origins as CSP-exempt, like we do for moz-extension: URLs themselves. Feel free to file a separate bug for that, and I'll look into implementing it.

The intended use-case is to work around CSPs by downloading content via XHR and then putting the extension blob URI into the various attributes that are normally protected by CSP.
A way of creating such blob URIs for the content script would also be necessary.

Is that actually any easier than creating moz-extension: URIs from Blobs?
Priority: -- → P3
After some experimenting with a custom protocol handler it seems like  nsIProtocolHandler.URI_FETCHABLE_BY_ANYONE simply causes it to be treated as same-origin, but this is insufficient if the CSP uses script-src: none or some 3rd party only (no 1st-party scripts). I.e. it doesn't actually bypass CSP, it just happens to work if CSP allows "self".
Component: WebExtensions → WebExtensions: Request Handling
Whiteboard: triaged
See Also: → 1267027
I have the following code in an extension content script:

  const imagePath = browser.extension.getURL("/img/img.png");
  const response = await fetch(imagePath);
  const blob = await response.blob();
  const objectUrl = URL.createObjectURL(blob);
  imageElement.src = objectUrl;

When loading into I get the following warning:

Content Security Policy: The page's settings blocked the loading of a resource at blob: ("img-src https://* https://* https://* data: https://* https://*").

The image is prevented from loading when extensions should override the security model of the page and behave like the browser.

Ideally I would use an out of content overlay but this hasn't been implemented yet.
>  blob:

This is not a blob URI with an extension origin. You would presumably have to create those URIs in a background page so that they have the right origin. But even then this bug would still have to be implemented.
We had a CSP issue similar to this as we were loading JS and CSS files as blobs which were included in the extension. The trick was to add blob: to the CSP rule in the manifest.json to prevent the error i.e.

"content_security_policy": "script-src 'self' 'unsafe-eval' https://* blob:; object-src 'self' https://*;",
Loading blob URLs in (trusted) extension contexts is a separate issue from exempting blobs with extension origin from CSP in (untrusted) web content. Sure, one could manipulate the headers and meta tags, but that seems like a security risk for content if an extension gets it wrong.
I think there might be a bug with the error reported too, I should have mentioned that. I didn't have chance to dig further but they were generated correctly.

Also Bug 1267027 should hopefully address this too
(In reply to Jonathan Kingston [:jkt] from comment #7)
> Also Bug 1267027 should hopefully address this too

See comment 0 this bug was explicitly filed in response to a comment in the other bug since that would take more effort and increase potential exploit surface (e.g. confusing an addon into spawning privileged DOM nodes which then load SOP- or CORS-violating content).
Product: Toolkit → WebExtensions
My extension "Worldwide Radio"

Some radios use HLS stream (example: Radio Capital (Italy)).
but the hls-library recommended by Mozilla ( ) does not work in WebExtensions:

Error: Content Security Policy: The page’s settings blocked the loading of a resource at blob:moz-extension://58d8b783-8c10-4b1c-b365-058c9fb6df04/5496a970-7784-47e7-8e51-2f65322f30ae («script-src»).

the part of code from hls library:

      var buffer_controller_MediaSource = window.MediaSource || window.WebKitMediaSource;
      // setup the media source
      var ms = this.mediaSource = new buffer_controller_MediaSource();
      ms.addEventListener('sourceopen', this.onmso);
      ms.addEventListener('sourceended', this.onmse);
      ms.addEventListener('sourceclose', this.onmsc);
      // link video and media Source
      media.src = window.URL.createObjectURL(ms);
You need to log in before you can comment on or make changes to this bug.