CSP issue in converting Chrome extension to web extension

C csr at mega.co.nz
Fri Sep 29 21:01:21 UTC 2017


I'm in the middle of trying to convert our Chrome extension to a Web 
Extension for Firefox. I've almost got it loading in Firefox 56 finally, 
but I'm getting a CSP error.

I can go to `about:config` and set `security.csp.enable` to `false` and 
the extension loads and everything works just fine. However this is not 
very secure as all sites would then have the CSP disabled. Also removing 
the rule from the manifest file means it defaults to stricter settings. 
I have tried tweaking it somewhat but no luck so far. Perhaps it is a 
compatibility bug if the rule works fine in Chrome but not in Firefox.

I am loading the unpacked extension via `about:debugging` tab. The error 
in the console when visiting the extension URL 
`moz-extension://3a2d7550-b3b1-4458-8d47-bbc8e0fd6c78/mega/secure.html` is:

 > Loading failed for the script with source 
 > Content Security Policy: The page’s settings blocked the loading of a 
resource at 
(“script-src moz-extension://3a2d7550-b3b1-4458-8d47-bbc8e0fd6c78 
'unsafe-eval' https://*.mega.co.nz/ https://*.mega.nz/”).

Here's the policy from the manifest.json file:

"content_security_policy": "script-src 'self' 'unsafe-eval' 
https://*.mega.co.nz/ https://*.mega.nz/; object-src 'self' 
'unsafe-eval' https://*.mega.co.nz/ https://*.mega.nz/;",

This same policy works fine for the extension in Chrome/Chromium so I'm 
not sure what's different about Firefox. I wondering if anyone here has 
any pointers to resolve the issue or perhaps even loosen the 
restrictions some more? The error is not very descriptive so I'm not 
sure which part of the code would be causing it.

If you would like to test our extension, the zip file can be downloaded 
from here: 

Thanks very much

More information about the Webextensions-support mailing list