Closed da2x closed 5 years ago
Just a quick note here: We can't do this because this would require us to change the permissions in the manifest.json
to have webRequest
permission. Every user would need to confirm this in order to use the extension again
I found a different way of solving this. Fonts aren't loaded anymore as data uri
but as a normal http request. Whitelisting the source in the manifest.json
(web_accessible_resources
) helps to bypass the CSP of the website. Should be fixed with version 2.4 (will be released in the next 1-2 weeks)
Doesn't that approach expose users to tracking?
Unfortunately, usage of LT addon is easily detectable anyways. We modify the DOM structure around text fields. A website wouldn't need to check if a certain font is available, instead they could just use a text field and look for specific LT-related DOM elements.
If you've an idea on how to avoid this, I'm open to discussing it.
Expected:
no problems.
Actual:
Some notes: Extensions are responsible for rewriting the Content-Security-Policy header to allow for injecting their content scripts and styles . You can see an example here.
Just drop the webfonts. The browser's default font is fine, right? Loading fonts on every page is bad for performance. Loading them as data strings also means they're not shared between tabs.