Open opto opened 2 years ago
In version 2.0 there are plans to support strictest CSP. 1.5 will never be. However, you can set custom CSP settings for a addon, which works just fine.
good to hear, many thanks. Do you have an idea how to formulat the CSP manifest entry to allow v 1.5? I tried several versions from MDN and stackoverflow and was not yet successful.
Add this to manifest.json
{
...
"content_security_policy": "default-src 'self' 'unsafe-eval' ; style-src 'unsafe-inline'; script-src-attr 'unsafe-inline'; img-src 'self' data:; font-src 'self' data: 'unsafe-inline';"
}
many thanks, but: unfortunately, Mozilla does not allow unsafe-inline for addons (FF itself is fine): see https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy
I see that Chrome ext. v3 also has same problems. It works for manifest v2, but not v3. unsafe-inline
is ignored for script-src
yes, and it is not only in your code. In your code, I successfully updated some parts, but then I came to a point where code inside jquery caused csp errors. that is something where I do not have enough knowledge to change.
See https://github.com/vitmalina/bela - it is a chrome extension that uses w2ui. Works there.
With latest push all bug grid support following CSP:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data:; style-src 'self' 'unsafe-inline';">
I tried to load that into firefox, but it does not work, throwing CSP errors (which probably was to be expected)
and concerning the other post: unsafe-inline is not allowed (Thunderbird team arguing that is because TB addons have access to emails - very private information, so more security is needed)
Styles unsafe-inline
will need to stay.
Short description tried to use w2ui inside Mozilla addons (e.g. Thunderbird)
What is current behavior blocked due to CSP violations. Problem are the implicit onclick handlers etc.
Tried in an example position to replace
by
What is desired behavior
The above removes the CSP violations, but it is too many for me to replace (search for onclick, onmouse etc. in w2ui-1.5.js
any help/considerationof this is appreciated.
The current code works in FF, but not in addons, they seem to have different CSP requirements.