Following up on this advice from @gorhill, please investigate feasibility / LOE for removing 'unsafe' clauses from the Content Security Policy in the manifest.
Update: also, since blob: and filesystem: are both whitelisted by default within script-src, please configure both of these to explicitly control remote code execution.
Following up on this advice from @gorhill, please investigate feasibility / LOE for removing 'unsafe' clauses from the Content Security Policy in the manifest.
https://github.com/disconnectme/disconnect/blob/8793a575b1b88e9ef75d554a617e92f84b1799e4/firefox/content/disconnect.safariextension/opera/chrome/manifest.json#L22
https://github.com/disconnectme/disconnect/blob/8793a575b1b88e9ef75d554a617e92f84b1799e4/firefox/content/disconnect.safariextension/opera/manifest.json#L20
Update: also, since
blob:
andfilesystem:
are both whitelisted by default within script-src, please configure both of these to explicitly control remote code execution.