Closed bootleq closed 4 days ago
Thank you for the report and the POC. Unfortunately permissions like webRequest
are too broad and I cannot add them here.
The good news is that in the upcoming "Manifest Version 3" there's a better API to inject content without following the page’s CSP (chrome.scripting.executeScript
with world: 'main'
)
The bad news is that Firefox still doesn't have MV3, so I can't make the switchover yet:
Is CSP correctly applied on this page? https://ghosttext.fregante.com/test/csp It works correctly for me
Good to hear the MV3 solution, thanks a lot.
The test page also work in my side, while it shouldn't.
According to https://developer.mozilla.org/docs/Web/HTML/Element/meta, the CSP <meta http-equiv>
should be put within <head>
instead of <body>
.
Setup
Browser: Firefox 108.0.1 (Chrome works) Editor: Sublime Text 4143, Vim 9.0
Description
The special handling
unsafe-messenger.js
has chance blocked by website's content-security-policy.For example, www.blogger.com 's post editing page in HTML view (which use CodeMirror) has a policy header
which blocks our script, makes GhostText report connected with
while editor can't receive content actually.
What editors actually see
Sublime Text - Nothing.
vim-ghost - An error:
[ghost_wrapper@yarp] 127.0.0.1 - - [21/Dec/2022 18:47:55] "GET / HTTP/1.1" 200 -
How to reproduce
I have a fork branch with simple
test-csp.html
page. Activate GhostText on it can reproduce, and then edit the HTML, enable thesha256-
<meta>
element will fix.https://github.com/bootleq/GhostText/commit/444860c7ab820f118a161b47851ad42f84e48e1c
Request to change
I hope we can first detect the "blocked" problem, ensure editors know there is an known problem.
Further, my fork has a preliminary POC (https://github.com/bootleq/GhostText/commit/23872e91aadd9ec7a1b9ff0c5d3a076592f1ed0b) with extension API, hack the CSP response header and allow our unsafe js. That needs more consideration and can be study later.