Extension does not recognise webp image urls with suffixes

[TWeaKoR]

The extension does not recongise nor run on image urls with suffixes.

Example: https://next.lemm.ee/_next/image?url=https%3A%2F%2Fslrpnk.net%2Fpictrs%2Fimage%2F70dad073-5920-4864-9d04-655788f0c6af.webp&w=1080&q=75

It seems the &w and &q tags, or perhaps simply not ending in ".wepb", trips the extension up and prevents it from running. The extension won't load on the page and does not function in the right click menu either.

[jscher2000]

Hmm, the extension tries to inject the script that generates the button bar, but it fails with this error (in the add-on debugging inspector console):

Uncaught (in promise) Error: Missing host permission for the tab

I have not seen this on other images displayed in Firefox's stand-alone image viewer.

On the regular dev tools network tab for the image, I see this that the image is served with this header:

content-security-policy: script-src 'none'; frame-src 'none'; sandbox;

That seems to block even the built-in Firefox Screenshot feature (which uses extension APIs).

I wonder whether applying the site's CSP restrictions to the stand-alone image viewer was intentional or is a new bug. Have you used the extension on this site in earlier versions of Firefox?

Anyway, I'll have to think about whether there is a workaround for this. (Many extensions manipulate CSP for content blocking, and I don't want to interfere with or break those.) And if there isn't, how to at least alert the user to the nature of the failure.

[jscher2000]

Apparently it's a known bug since 2017 that "sandbox" blocks extension content scripts. A fix is waiting on something else to get fixed, and maybe they are nervous about getting out ahead of what Google is doing in Chromium. I hinted that maybe this could be resolved for stand-alone images even if it's hard for regular pages.

1411641 - CSP 'sandbox' directive prevents content scripts from matching, due to unique origin, breaking also browser features [Screenshots]

I really need to add an error message. Maybe it's an option to send the image URL to a web-based converter that doesn't obey CSP to get the job done (if there are any that accept anonymous requests).

[jscher2000]

I submitted an update to the Add-ons site today. It should be available in a few days (after review).

[jscher2000]

Well, actually, it violates Mozilla policies to remove the CSP: sandbox header, so my update was disallowed earlier today. Frustrating, but understandable since users may not understand how that feature protects them. Ha ha.

[jscher2000]

Version 1.5.1 is live, and after updating, you should see this popup when you try to use the add-on on the problem site:

This site sandboxes all of its files, so the first option is useless.

The second option still retrieves a WEBP file on this site, but it is saved locally (outside the sandbox) so you can then convert it. Of course, you could save it yourself anyway.

The third and fourth options send the image URL to a third party website. I don't have an affiliation with this site, but it is the easiest one to send image URLs to for conversion that I've found so far.

[jscher2000]

This was fixed in Firefox 128. However, if problems crop up on other sites, please let me know.