Open Bug 1446231 Opened Last year Updated Yesterday

Override page CSP for inline script nodes injected by extension content scripts

Categories

(Core :: DOM: Security, enhancement, P2)

enhancement

Tracking

()

People

(Reporter: kmag, Assigned: kmag)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

+++ This bug was initially created as a clone of Bug #1415352 +++

(I forgot I hadn't already done this.)

This is similar to bug 1415352, but for <script> rather than <style> nodes.

There's also the question of possibly adding similar exemptions for inline event listener attributes and eval() calls, but those are much more difficult problems, so I'm going to handle them separately.
Hello Kris, is there anything I can do to help get this issue fixed ?
I've never submit code to the Firefox codebase but with a few pointers I will gladly do so.

Thanks
Guillaume

Does this bug also apply to Javascript executed by bookmarklets? Or are those a different category (and should they have a separate bug?)?

(In reply to swleefers from comment #2)

Does this bug also apply to Javascript executed by bookmarklets? Or are those a different category (and should they have a separate bug?)?

Those are a different category, but I'm not sure there's a point of a separate bug. Bookmarklet scripts are the same as page scripts. There's no way to exempt them from policies like this.

See bug 1478037 for the bookmarklet case, at least in terms of allowing them to run even when CSP blocks scripts. Once running they would run just like any page script, so things they do would be affected by CSP.

There's also the question of possibly adding similar exemptions for inline event listener attributes and eval() calls, but those are much more difficult problems, so I'm going to handle them separately.

Is there a bug open for that?

I noticed that for a site like https://www.getmyboat.com/, which has a strictish CSP policy (i.e. no unsafe-eval or unsafe-inline), the React Devtools extension recognizes the use of React on that site on Chrome, but it fails to recognize the use of React on Firefox.

I opened an issue on the React repo regarding this, and a contributor noted that React Devtools uses devtools.inspectedWindow.eval() in a few places. Would those be blocked by Firefox currently?

To add (since I can't see how to edit my previous comment): it seems like this bug is more relevant to my issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

You need to log in before you can comment on or make changes to this bug.