Closed Bug 1489861 Opened Last year Closed Last year

"Content-Security-Policy: sandbox ..." header should not prevent injecting content scripts

Categories

(WebExtensions :: Untriaged, defect)

63 Branch
defect
Not set

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1411641

People

(Reporter: m_khvoinitsky, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Build ID: 20180905135451

Steps to reproduce:

Make a WebExtension that injects content scripts into all pages (either using javascript or manifest.json)


Actual results:

It doesn't work on dropbox.com/help, injecting it using javascript throws "Error: Missing host permission for the tab"


Expected results:

It should work as it's not listed in extensions.webextensions.restrictedDomains
Product: Firefox → WebExtensions
Some clarification: the issue is caused by "Content-Security-Policy: sandbox ...". If there is any security concern here, it's pointless because it's easy to remove/alter aforementioned header using webRequest.onHeadersReceived and webRequestBlocking permission. I've tried to make a PoC and it works.
Summary: Unable to inject content_script into dropbox.com/help despite having <all_urls> permission → "Content-Security-Policy: sandbox ..." header should not prevent injecting content scripts
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Resolution: --- → DUPLICATE
Duplicate of bug: 1411641
You need to log in before you can comment on or make changes to this bug.