birtles
commented
1 year ago I've filed a related issue on Safari but in that case the Chrome and Firefox behavior agree: https://bugs.webkit.org/show_bug.cgi?id=232781
Open lapcat opened 1 year ago
birtles
commented
1 year ago I've filed a related issue on Safari but in that case the Chrome and Firefox behavior agree: https://bugs.webkit.org/show_bug.cgi?id=232781
I've looked at the other issues, and I don't think this one is covered yet, but please correct me if I'm wrong.
Summary: Inline script and style elements added to the web page by the extension's content script are governed by the extension's Content Security Policy in Chrome but governed by the web page's Content Security Policy in Firefox and Safari.
I've tested on macOS with Google Chrome 108.0.5359.124, Safari 16.2, and Firefox Developer Edition 109.0b3 (because regular Firefox doesn't yet support extension manifest V3). I performed 2 sets of tests: (1) with the browser's default CSP and (2) with a custom page CSP
style-src 'none'; script-src 'none'. The extension content script adds inline style and script elements to the web page:By default, all 3 web browsers allow the inline style to apply to the web page. Firefox and Safari also allow the inline script to execute on the web page. Chrome refuses to execute the inline script with manifest V3 and allows the inline script to execute with MV2.
With the restrictive page CSP, all 3 browsers refuse to execute the inline script. Firefox and Safari also refuse to allow the inline style. However, Chrome continues to allow the inline style with the page CSP
style-src 'none'.I've attached a sample extension. CSPTest.zip
The extension files are in the folder
CSPTest/Shared (Extension)/Resources/. Most of the other files in the attachment are to allow building and running the extension with Safari.To run the 1st test:
cd CSPTest; python3 -m http.serverand then load http://localhost:8000/To run the 2nd test:
cd CSPTest; python3 csp.pyand then load http://localhost:8000/