Closed k-risc closed 1 month ago
Perhaps this can be resolved by adding media-src data:
to the csp-headers in manifest.json.
It also took me a while to figure out that this add-on was causing the CSP-reports..
Is there any way to circumvent this? What exactly is the idea behind this? I mean what is NoScript doing that causes these reports, considering we ourselves do not use audio or video on our site?
It's a necessary hack for NoScript to detect that it must block media elements on the page as early as possible, by creating a fake video
element (and not even appending it to the document):
I was analyzing CSP reports saying
Content-Security-Policy: (Report-Only policy) The page’s settings would block the loading of a resource (media-src) at data: because it violates the following directive: “media-src 'none'”
on a website we implement.We do not have any audio or video on our site (it says here that it is connected to audio/video: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src)
In order to debug, I removed the output bit by bit and refreshed, until the page was completely empty. The report was still created. I then switched of NoScript, refreshed the page, and the report was not created any more.
Is there any way to circumvent this? What exactly is the idea behind this? I mean what is NoScript doing that causes these reports, considering we ourselves do not use audio or video on our site?