fregante
commented
1 year ago Thank you for the report and the POC. Unfortunately permissions like webRequest are too broad and I cannot add them here.
The good news is that in the upcoming "Manifest Version 3" there's a better API to inject content without following the page’s CSP (chrome.scripting.executeScript with world: 'main')
The bad news is that Firefox still doesn't have MV3, so I can't make the switchover yet:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1748662
- https://bugzilla.mozilla.org/show_bug.cgi?id=1736575
Is CSP correctly applied on this page? https://ghosttext.fregante.com/test/csp It works correctly for me
bootleq
Setup
Browser: Firefox 108.0.1 (Chrome works) Editor: Sublime Text 4143, Vim 9.0
Description
The special handling
unsafe-messenger.jshas chance blocked by website's content-security-policy.For example, www.blogger.com 's post editing page in HTML view (which use CodeMirror) has a policy header
which blocks our script, makes GhostText report connected with
while editor can't receive content actually.
What editors actually see
Sublime Text - Nothing.
vim-ghost - An error:
[ghost_wrapper@yarp] 127.0.0.1 - - [21/Dec/2022 18:47:55] "GET / HTTP/1.1" 200 -
How to reproduce
I have a fork branch with simple
test-csp.htmlpage. Activate GhostText on it can reproduce, and then edit the HTML, enable thesha256-<meta>element will fix.https://github.com/bootleq/GhostText/commit/444860c7ab820f118a161b47851ad42f84e48e1c
Request to change
I hope we can first detect the "blocked" problem, ensure editors know there is an known problem.
Further, my fork has a preliminary POC (https://github.com/bootleq/GhostText/commit/23872e91aadd9ec7a1b9ff0c5d3a076592f1ed0b) with extension API, hack the CSP response header and allow our unsafe js. That needs more consideration and can be study later.