Closed Bug 1419678 Opened 2 years ago Closed 2 years ago
Webextension: content script honors Content-Security-Policy of the page instead of the one from content
_security _policy in manifest .json
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20171115095126 Steps to reproduce: 1) Create webextension with a content script. Include some relaxed content_security_policy in manifest.json. 2) Serve a page with a restricted Content-Security-Policy header. 3) Load the content script into that page. 4) Make a request (e.g. XMLHttpRequest) from the content script - make sure it is outside of the page's Content-Security-Policy, but inside of extension's content_security_policy. Actual results: Request is blocked by CSP. Expected results: Request should be allowed, as content_security_policy of the webextension should be honored. (this is a behaviour that background scripts have).
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Simple extension that demonstrates the issue. Install the extension, visit https://content-security-policy.com/browser-test/ (has strict CSP headers) and click the button. In console, the result shows "WebExtension CSP test failed" if the policy from manifest.json was not used. Try it in Chrome - it shows "WebExtension CSP test ok".
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1267027
You need to log in before you can comment on or make changes to this bug.