Closed stefanvd closed 6 months ago
In CSP, worker-src
is supposed to fall back to child-src
if present. Else fall back to script-src
if present, else fall back to default-src
.
In the case of the CSP you use for Turn off the lights. This means worker-src
will end up using the child-src
value which is set to https://www.youtube.com https://www.turnoffthelights.com
.
Is there any reason you are not using frame-src
instead of child-src
? Replacing child-src
with frame-src
would mean worker-src
will start using the value of script-src
.
As a last note, having worker-src
set to self
would not hurt in Chrome. So you could simply use the same CSP value. If you are not using any workers you can even set it to none
.
Discussion about the default CSP can be found here: https://github.com/w3c/webextensions/issues/98
The reason why I use child-src
is because I have a welcome guide (online page) and inside there is a video player (for one of these domains).
I try to keep my code the same across all platforms. Therefore, your suggestion worker-src 'none'
is a good point to add it in all my browser extensions.
@stefanvd for that you can simply use frame-src
instead. Pretty sure you can also remove the YouTube source as it is not a direct subframe of your extension.
Is there anything specific for this group to talk about?
@carlosjeurissen I used frame-src before
; at that time, it was "deprecated". Because of this, I continued to use child-src
.
frame-src was deprecated in level 2, but is restored in level 3. If not present it still falls back to child-src as before.
Should not child-src
be the recommended option for future use?
@stefanvd I would suggest to use frame-src
instead. As you mentioned it is nolonger deprecated. And it seems you do not need worker-src
. So there is no benefit of using child-src
.
Again is there anything specific for this group to talk about?
These are informative warnings for developers, not fatal errors that prevent the extension from loading.
In practice, due to several efforts, including #98 and #204, the CSP handling is now quite uniform. Chrome and Firefox both enforce the CSP by enforcing a minimum CSP (effectively script-src 'self'
), and then applies whatever the extension specifies on top of it. This minimum enforced CSP is a hardening measure to counter CSP validation bypasses (which happened in the past in Chrome, e.g. https://crbug.com/1042963).
Like Carlos mentioned before, you should have used frame-src
instead of child-src
here. Because the directive precedence is worker-src < child-src < script-src
, Firefox rightfully warns about the child-src
directive being rejected, because accepting child-src
would imply that workers would be permitted to run code. Chrome does not warn because its validator does not account for child-src
in the context of workers, but that initial validator bypass is mitigated by the enforcement of the "minimum CSP" that I described before. If anyone wanted to rely on this (i.e. loading a remote worker in Chrome), then the load would be blocked and an appropriate warning about the CSP will be displayed in the console.
I'm closing this issue because there are no actionable items for the WECG here.
When converting my Chrome extension to a Firefox Extension Manifest V3 and using the same Manifest.json file, it shows me a warning that I need to add
worker-src 'self'
. While it works just fine in the Google Chrome web browser. In Firefox, I addedworker-src 'self'
inside thecontent_security_policy
code in my Manifest.json file, and the warning was removed.Screenshots of the issue
Chrome Manifest.json
Firefox Manifest.json
Conclusion:
All web browsers must establish a uniform default security standard for their Content Policy. This ensures the prevention of issues where the security of one content script differs and is more relaxed in another web browser. Setting a consistently robust security baseline is imperative for a secure web browser.
Resources: