Summary: | Some extensions triggers CSP violation reports | ||
---|---|---|---|
Product: | WebKit | Reporter: | Nicolas H. <dante3333> |
Component: | New Bugs | Assignee: | Timothy Hatcher <timothy> |
Status: | NEW --- | ||
Severity: | Normal | CC: | aljungberg, andre, ap, bfulgham, dak, dante3333, dbates, jan, jberlin, opendarwin, sam, sam, timothy, webkit-bug-importer, webkit, webkit, webkit |
Priority: | P2 | Keywords: | InRadar |
Version: | WebKit Nightly Build | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
See Also: |
https://bugs.webkit.org/show_bug.cgi?id=144830 https://bugs.chromium.org/p/chromium/issues/detail?id=233903 https://bugzilla.mozilla.org/show_bug.cgi?id=866522 |
Description
Nicolas H.
2015-09-09 07:10:24 PDT
Please make extension exempt from a Site's CSP, similar to how Chrome and Firefox already do. The issue also affects userscript engines like Tampermonkey: https://github.com/Tampermonkey/tampermonkey/issues/296#issuecomment-222356524 It's also specced that CSP should not interfere with extensions: Cite from https://w3c.github.io/webappsec-csp/#extensions: > Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets It appears that the spec now says "may" and not "should", so the current behaviour may not violate the letter of the law. https://github.com/w3c/webappsec/commit/73963d509b20513a6f42b1e0839715aca8b578b0 It does however make it pretty hard (if not impossible) to implement a whole range of useful extensions which of necessity rely on script injection. It seems sensible to have a mechanism that would allow browsers to exempt extensions (perhaps on a per-extension basis). It then comes down to a matter of user-trust whether to allow each extension full access - which seems to be in keeping with the W3C intent. I'm also affected by this issue. I wrote a script to add some keyboard shortcuts to Phabricator and I inject it using Tampermonkey. Phabricator added a CSP header and it stops my extension from even loading. In my opinion, the best solution would be to allow extensions to do what they want (that's the purpose of extensions after all). The second best solution would be able to turn off CSP on a per site basis, say in Preferences. |