Closed Bug 1489861 Opened 6 years ago Closed 6 years ago

"Content-Security-Policy: sandbox ..." header should not prevent injecting content scripts

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Version:
63 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1411641

People

(Reporter: m_khvoinitsky, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 Build ID: 20180905135451 Steps to reproduce: Make a WebExtension that injects content scripts into all pages (either using javascript or manifest.json) Actual results: It doesn't work on dropbox.com/help, injecting it using javascript throws "Error: Missing host permission for the tab" Expected results: It should work as it's not listed in extensions.webextensions.restrictedDomains
Product: Firefox → WebExtensions
Some clarification: the issue is caused by "Content-Security-Policy: sandbox ...". If there is any security concern here, it's pointless because it's easy to remove/alter aforementioned header using webRequest.onHeadersReceived and webRequestBlocking permission. I've tried to make a PoC and it works.
Summary: Unable to inject content_script into dropbox.com/help despite having <all_urls> permission → "Content-Security-Policy: sandbox ..." header should not prevent injecting content scripts
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.