Content scripts are subject to target page's CSP?

[WofWca]

README says "In content scripts native dynamic import subjects to target page content security policy". Do you have any sources to back that up?

From a bit of testing it looks to me that it's not true. For example, here, on GitHub, if you open the console and try typing

import("https://www.example.com/1.js")

it will refuse to do it with reference to the website's CSP, but my extension, which uses import(), imports its script just fine (it even appears in the Network tab of dev tools). Also, here are docs for Microsoft Edge extension developers: https://docs.microsoft.com/en-us/microsoft-edge/extensions-chromium/store-policies/csp#content-scripts, which specifically state the opposite. Mozilla docs are more general, there is no section for content scripts specifically: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy

[Jack-Works]

No. It does not. Please refer to https://www.w3.org/TR/CSP3/#extensions

[Jack-Works]

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets. These kinds of features generally advance the user’s priority over page authors, as espoused in [HTML-DESIGN].

Moreover, applying CSP to these kinds of features produces a substantial amount of noise in violation reports, significantly reducing their value to developers.

Chrome, for example, excludes the chrome-extension: scheme from CSP checks, and does some work to ensure that extension-driven injections are allowed, regardless of a page’s policy.