Firefox Foxygestures silently fails on a website (possible Content-Security-Policy issue in Firefox)

[siebenmann]

I've stumbled over a website that Foxygestures doesn't work on: https://dotfiles.tnetconsulting.net/home.html (and associated pages). It's possible that this failure isn't from anything that Foxygestures is doing and is instead at root a Firefox issue, because when I load the page the browser console reports Content Security Policy: Couldn’t process unknown directive ‘plugin-types’ (and no other errors).

Environment: Firefox on Fedora Linux, Firefox version 63.0.3, Foxygestures 1.2.4. I'd be happy to run beta or test versions of Foxygestures to test fixes or generate debugging messages.

The exact response HTTP headers I get in Firefox are:

HTTP/1.1 200 OK
Date: Sat, 08 Dec 2018 21:50:02 GMT
Server: Apache
Last-Modified: Sat, 18 Nov 2017 00:43:20 GMT
ETag: "1813-55e3723cdedb8-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Cache-Control: max-age=2592000
Expires: Mon, 07 Jan 2019 21:50:02 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Pingback: https://dotfiles.tnetconsulting.net/pingback.xml
Content-Security-Policy: default-src https://dotfiles.tnetconsulting.net/ https://cdn.tnetconsulting.net/ https://mailman.tnetconsulting.net/; form-action 'self'; sandbox allow-forms; base-uri https://dotfiles.tnetconsulting.net; plugin-types 'none'; object-src 'none';
X-Xss-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 3182
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[siebenmann]

This seems pretty definitely a (website/Firefox) CSP issue. Toggling security.csp.enable on and off in a testing Firefox setup (and reloading the page) reliably switches gestures between working and not working.

[marklieberman]

I believe this behavior is related to https://bugzilla.mozilla.org/show_bug.cgi?id=1267027.

I recall reading about similar problems with Greasemonkey and CSP. I think Tampermonkey alters the CSP header, but Greasemonkey does not. I think Greasemonkey's is the safer approach, so web extensions will remain broken until Mozilla fixes the page CSP applies to extensions issue.

[siebenmann]

Belatedly (oops): I read the bug report and it sort of seems like Foxygestures ought not to be affected by the specific report, unless I misunderstand how Foxygestures works (or the bug report). The bug report seemed to be about things directly injected into the page and people seemed to think that content scripts should still be fine, which I believe is all that Foxygestures uses to actually do things. FG injects markup into the page, but I believe it still does things even if that markup is suppressed or altered?

(That's been my experience in some situations where FG's gesture trails and 'Gesture:' report are suppressed, at least; nothing shows, but the gesture action still happens.)

[marklieberman]

It still seems to be a FF problem. The reason I think this is because if you open the devtools and look at Sources tab, you can see contentScripts on non-CSP sites. Thats FG and uBlock content scripts showing up here:

However, on the page you provided the Sources tab is empty. No FG or uBlock content scripts.

[siebenmann]

Sorry, my lack of clarity: I agree that this is absolutely a Firefox problem. I just don't know if it's that specific problem, or if one should file another bug with Firefox in the hopes that it does some good.

[marklieberman]

After crawling the various related bugs, I found https://bugzilla.mozilla.org/show_bug.cgi?id=1366467 which was marked duplicate of 1267027 above. It seems to imply that 1267027 is a meta bug for all the CSP related addon issues. If you feel strongly enough that those aren't the applicable bugs here, I suppose you could log a new issue and worst case it gets closed as a dupe.

[br4nnigan]

Also fails on https://support.mozilla.org (but works on https://mozilla.org/)