CSP blocks changes done by add-ons including data: URLs

RESOLVED DUPLICATE of bug 615708

Status

()

defect
RESOLVED DUPLICATE of bug 615708
9 years ago
3 months ago

People

(Reporter: clouserw, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

9 years ago
Many add-ons inject images/iframes/objects/scripts/etc. into the pages of websites (translate buttons, link modification, the list goes on and on).  If a site has CSP enabled (with a recommended strict set of rules) all of these wanted adjustments won't happen.  This will lead to a bad experience for end users and also gives the site owner more control over what can and can't be done on their site than they have traditionally had.

This affects external resources _and_ data URLs so there is no good way to work around it from an add-on developers perspective.  I expect this to be a point of frustration for add-on developers and add-on users if CSP gets widespread use.

I'm attaching an example add-on that injects some elements into a page on reload.  Thanks to jorgev for writing the add-on.

Comment 1

9 years ago
Looks like you accidentally double posted.
No longer blocks: CSP
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 615708
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.