Closed Bug 1419678 Opened 2 years ago Closed 2 years ago

Webextension: content script honors Content-Security-Policy of the page instead of the one from content_security_policy in manifest.json

Categories

(WebExtensions :: General, defect)

57 Branch
defect
Not set

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1267027

People

(Reporter: chylek.adam, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171115095126

Steps to reproduce:

1) Create webextension with a content script. Include some relaxed content_security_policy in manifest.json.
2) Serve a page with a restricted Content-Security-Policy header.
3) Load the content script into that page.
4) Make a request (e.g. XMLHttpRequest) from the content script - make sure it is outside of the page's Content-Security-Policy, but inside of extension's content_security_policy.


Actual results:

Request is blocked by CSP.


Expected results:

Request should be allowed, as content_security_policy of the webextension should be honored. (this is a behaviour that background scripts have).
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Simple extension that demonstrates the issue.
Install the extension, visit https://content-security-policy.com/browser-test/ (has strict CSP headers) and click the button. In console, the result shows "WebExtension CSP test failed" if the policy from manifest.json was not used. 
Try it in Chrome - it shows "WebExtension CSP test ok".
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1267027
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.