search

EFForg / privacybadger

Privacy Badger is a browser extension that automatically learns to block invisible trackers.
https://privacybadger.org
Other
3.19k stars 386 forks source link

CSP injectScript warning #2941

Closed bravecrayon closed 10 months ago

bravecrayon commented 10 months ago

In FireFox 123.0b1 on a site with CSP script-src set to 'self' I see this in the console:

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). utils.js:42:10

That is this line. Why is it trying to inject a <script> tag? Also, could a site easily evade whatever PrivacyBadger is trying to do here with a specifically crafted CSP?

ghostwords commented 10 months ago

Thanks for reaching out!

This is a bug in Firefox where the browser fails to override site CSPs for page context ("main world") scripts injected by extension content scripts.

This will be fixed when Firefox fixes their bug, or when we will change the way we inject into page contexts.

Privacy Badger injects page context scripts for things like click-to-activate widget placeholders, DNT/GPC signals in JavaScript, and denying JavaScript cookie access to "cookie-blocked" ("yellowlisted") domains. Core tracker blocking functionality is not affected.

Closing as a duplicate of #1793.