Firefox applies the page’s CSP to extension content_scripts

[TimurBrave]

Hey man,

I hope you doing well and always have some tea/coffee to drink :)

I found out that with this extension the articles on the right side of the site devdocs.io does't load at all, instead the site show the massage:

"The page failed to load. It may be missing from the server (try reloading the app) or you could be offline (try installing the documentation for offline usage when online again). If you're online and you keep seeing this, you're likely behind a proxy or firewall that blocks cross-domain requests."

Only when this extension is switch off the site start loading articles.

Thanks a lot man & have a great day ;) Timur

[da2x]

Firefox only. Caused by differences in how it enforces a page’s content-security-policy (CSP) for extension content_scripts injections versus Chrome. Both engines are supposed to execute the scripts in isolated_world and not the page’s context, yet Firefox applies the CSP from the page’s context to the extension’s context.

The underlying issue is somewhere in Firefox metabug #1267027-land. It’s impossible to work around or mitigate from the extension side without tweaking the every webpage’s CSP’s to allow script unsafe-inline. It shouldn’t be necessary for content_scripts, and it would never get passed extension review.

Secondarily, the site in question should catch network errors. It has a service worker to do so, it just doesn’t do anything useful with the exception (like display a network error or security message).

I can’t do anything about it.

[mizzunet]

@da2x, can I make this extension not to work to specified websites which are broken due to the Save Data header? soundcloud.com for instance