Closed Bug 1323478 Opened 3 years ago Closed Last year
It's really hard to debug rogue addons that violate CSP
See attached screenshot. It appears as if I have two CSP violations on this site. As if I've included a piece of .js or something on a domain that doesn't match the existing CSP policy headers. But it's not the case. The site works just fine and nothing is broken. No CSP violations shown when using Chrome. When I click "Firefox:1" in the upper right hand corner of the console logs it just opens the view source without pointing at anything. E.g. view-source:http://socorro.dev/home/product/Firefox It's likely that it's some "nasty" addon that tries to inject stuff in the DOM on load and the CSP rejects it but it's impossible to tell which/what. We should try to fix that with better context in the error reporting.
Component: Developer Tools → Developer Tools: Console
This issue caused confusion for me just now too: https://github.com/mozilla/http-observatory-website/issues/142
Probably better tracked under add-ons work.
Component: Developer Tools: Console → WebExtensions: Developer Tools
Product: Firefox → Toolkit
There's not much we can do about this, really. We already make extensions exempt from CSP where we can. Bug 1446231 will probably fix this issue, but there will probably still be plenty of other cases where add-ons inject scripts into the page context, and those scripts do things that violate the page's CSP. We can't really track that.
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.