Closed Bug 1363139 Opened 3 years ago Closed 3 years ago

WebExtensions should not obey CSP

Categories

(WebExtensions :: Untriaged, defect)

55 Branch
defect
Not set

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1267027

People

(Reporter: petcuandrei, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170508100218

Steps to reproduce:

I installed this WebExtension https://andreicristianpetcu.github.io/chrome2firefox/addons/my_web_extensions/google_translate_this_page-1.0.0-an+fx.xpi

Then I visited https://github.com/devtools-html/debugger.html

Right click on the page and clicked "Translate Current Page"


Actual results:

I got CSP errors in the browser console and it did not translate the page.

21:56:20.446 Loading failed for the <script> with source “https://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit”. debugger.html:1
21:56:20.452 Content Security Policy: Setările paginii au blocat încărcarea unei resurse la self („script-src https://assets-cdn.github.com”). Source: googleTranslateElementInit = function(){.... debugger.html:1
21:56:20.452 Content Security Policy: Setările paginii au blocat încărcarea unei resurse la https://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit („script-src https://assets-cdn.github.com”).


Expected results:

It should have popped up the Google translate bar like in any other web site. You can try it out in this page https://devtools-html.github.io/debugger.html/

I think WebExtensions are installed by the user and since CSP aims to protect the users from XSS, clickjacking and other code injection it makes no sense that the web site should block in any way WebExtensions. If all web sites were to enforce CSP then a lot of extensions would stop working since they basically inject code into web sites to add features to the web site or to the browser.
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1267027
They should, though arguably they shouldn't be bound by it.
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.