Closed
Bug 1400924
Opened 7 years ago
Closed 7 years ago
Site with CSP + web extension with CSP = CSP errors
Categories
(WebExtensions :: General, defect, P3)
WebExtensions
General
Tracking
(firefox57 wontfix)
RESOLVED
DUPLICATE
of bug 1267027
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | wontfix |
People
(Reporter: Harald, Unassigned)
Details
STR - Install redux devtools: https://addons.mozilla.org/en-US/firefox/addon/remotedev/ - Go to https://js.stripe.com/v3/ ER: Redux debugging AR: - CSP errors: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://js.stripe.com”). Source: !function(t){function __webpack_require_.... Could the CSP rules in the addon conflict with the site's rules?
|
Reporter | |
Comment 1•7 years ago
|
||
Andy, who knows more about the inner workings of CSP rules in extensions?
Flags: needinfo?(amckay)
|
|
Reporter | |
Updated•7 years ago
|
Summary: Site with CDP and web extension with CSP cause CSP errors → Site with CSP + web extension with CSP = CSP errors
|
||
Comment 2•7 years ago
|
||
(In reply to :Harald Kirschner :digitarald from comment #0) > Could the CSP rules in the addon conflict with the site's rules? No. Not unless the add-on changes the site's CSP. The only reason an add-on CSP should apply is if it tries to inject those scripts into one of its own pages.
Flags: needinfo?(amckay)
|
||
Comment 3•7 years ago
|
||
It is likely to be the opposite: the page CSP could prevent a tag script injected by an extension content scripts to be evaluated (Bug 1267027), based on the page CSP. In this particular case, it seems to me that the url http://js.stripe.com/v3/ is returning a javascript file and the extension is probably trying to inject a script into the tab where the javascript file has been loaded, which is likely to be what has triggered the CSP error logged. By inspecting the network request in the network devtools panel related to http://js.stripe.com/v3/ the following is the return CSP http header: > content-security-policy: "default-src 'self'; connect-src 'self' https://api.stripe.com https://errors.stripe.com; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self'; img-src 'self' https://q.stripe.com; font-src data: https:; media-src 'none'; object-src 'self';"
|
||
Updated•7 years ago
|
status-firefox57:
--- → wontfix
Priority: -- → P3
|
|
Reporter | |
Comment 4•7 years ago
|
||
Forgot to mention, Chrome doesn't exhibit have the issue. So it is expected that websites can prevent web extensions from injecting JavaScript? Content scripts are fine but if they inject script elements that fails?
|
|
||
Comment 6•7 years ago
|
||
(In reply to :Harald Kirschner :digitarald from comment #4) > Forgot to mention, Chrome doesn't exhibit have the issue. > > So it is expected that websites can prevent web extensions from injecting > JavaScript? Content scripts are fine but if they inject script elements that > fails? See bug 1267027.
Flags: needinfo?(lgreco)
|
|
Reporter | |
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
||
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•