CSP issue in converting Chrome extension to web extension

Andrew McKay amckay at mozilla.com
Fri Sep 29 22:45:04 UTC 2017


Were you asking similar questions on the #webextensions IRC channel?
It sounds like you got some answers there.

Cheers

On 29 September 2017 at 14:01, C <csr at mega.co.nz> wrote:
> Hi,
>
> I'm in the middle of trying to convert our Chrome extension to a Web
> Extension for Firefox. I've almost got it loading in Firefox 56 finally, but
> I'm getting a CSP error.
>
> I can go to `about:config` and set `security.csp.enable` to `false` and the
> extension loads and everything works just fine. However this is not very
> secure as all sites would then have the CSP disabled. Also removing the rule
> from the manifest file means it defaults to stricter settings. I have tried
> tweaking it somewhat but no luck so far. Perhaps it is a compatibility bug
> if the rule works fine in Chrome but not in Firefox.
>
> I am loading the unpacked extension via `about:debugging` tab. The error in
> the console when visiting the extension URL
> `moz-extension://3a2d7550-b3b1-4458-8d47-bbc8e0fd6c78/mega/secure.html` is:
>
>> Loading failed for the script with source
>> “blob:moz-extension://3a2d7550-b3b1-4458-8d47-bbc8e0fd6c78/e8a20cf7-847d-4bf6-b304-ac61deec8b53”.
>> secure.html:1
>> Content Security Policy: The page’s settings blocked the loading of a
>> resource at
>> blob:moz-extension://3a2d7550-b3b1-4458-8d47-bbc8e0fd6c78/e8a20cf7-847d-4bf6-b304-ac61deec8b53
>> (“script-src moz-extension://3a2d7550-b3b1-4458-8d47-bbc8e0fd6c78
>> 'unsafe-eval' https://*.mega.co.nz/ https://*.mega.nz/”).
>
> Here's the policy from the manifest.json file:
>
> "content_security_policy": "script-src 'self' 'unsafe-eval'
> https://*.mega.co.nz/ https://*.mega.nz/; object-src 'self' 'unsafe-eval'
> https://*.mega.co.nz/ https://*.mega.nz/;",
>
> This same policy works fine for the extension in Chrome/Chromium so I'm not
> sure what's different about Firefox. I wondering if anyone here has any
> pointers to resolve the issue or perhaps even loosen the restrictions some
> more? The error is not very descriptive so I'm not sure which part of the
> code would be causing it.
>
> If you would like to test our extension, the zip file can be downloaded from
> here: https://mega.nz/#!WFMlhTJK!cxE9MqF-xEzXaheozleSt8nX2zbadbk85cZv6pbtPAs
>
> Thanks very much
>
> _______________________________________________
> Webextensions-support mailing list
> Webextensions-support at mozilla.org
> https://mail.mozilla.org/listinfo/webextensions-support


More information about the Webextensions-support mailing list