Closed Bug 1415997 Opened 7 years ago Closed 7 years ago

Content-Security-Policy blocks WebExtension content scripts and web_accessible_resources

Categories

(WebExtensions :: General, defect)

56 Branch
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1310082

People

(Reporter: onyshchuk, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20171024165158

Steps to reproduce:

Install tiny WebExtension from attachment. It contains only content script:
//////
console.log("=== It is content script ===");
var img = document.createElement("img");
img.setAttribute("src", chrome.extension.getURL("sun.png"));
document.body.appendChild(img);
//////
and 
web_accessible_resources: 
sun.png


Actual results:

On every site without HTTP header Content-Security-Policy we will see sun image on the page (web_accessible_resources) and line
=== It is content script ===
in the Web Console
If you will go to addons.mozilla.org with HTTP header Content-Security-Policy then you will not see either the sun picture or the wanted line in the console.
Also Web Console will contain errors like:
"Content Security Policy: The page’s settings blocked the loading of a resource at self"


Expected results:

If you will install this WebExtention into Chrome you will see sun on addons.mozilla.org with HTTP header Content-Security-Policy and line
=== It is content script ===
in the Web Console.
I am thinking HTTP header Content-Security-Policy should not block any content of WebExtensions.
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: