Closed
Bug 1419678
Opened 7 years ago
Closed 7 years ago
Webextension: content script honors Content-Security-Policy of the page instead of the one from content_security_policy in manifest.json
Categories
(WebExtensions :: General, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1267027
People
(Reporter: chylek.adam, Unassigned)
Details
Attachments
(1 file)
881 bytes,
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20171115095126 Steps to reproduce: 1) Create webextension with a content script. Include some relaxed content_security_policy in manifest.json. 2) Serve a page with a restricted Content-Security-Policy header. 3) Load the content script into that page. 4) Make a request (e.g. XMLHttpRequest) from the content script - make sure it is outside of the page's Content-Security-Policy, but inside of extension's content_security_policy. Actual results: Request is blocked by CSP. Expected results: Request should be allowed, as content_security_policy of the webextension should be honored. (this is a behaviour that background scripts have).
Reporter | ||
Updated•7 years ago
|
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Reporter | ||
Comment 1•7 years ago
|
||
Simple extension that demonstrates the issue. Install the extension, visit https://content-security-policy.com/browser-test/ (has strict CSP headers) and click the button. In console, the result shows "WebExtension CSP test failed" if the policy from manifest.json was not used. Try it in Chrome - it shows "WebExtension CSP test ok".
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•