Following on from https://bugs.webkit.org/show_bug.cgi?id=97398, it would be nice if inline script blocks injected from an isolated world into the page would run as expected. Not sure it's easily possible. :(
LastPass, for instance, is a Chrome extension which injects inline scripts to do its thing. Ideally, it wouldn't do that, but it does.
I'd rather than extension authors used scripts from their extension package. Injecting an inline script is likely to lead to XSS.
(In reply to comment #1)
> I'd rather than extension authors used scripts from their extension package. Injecting an inline script is likely to lead to XSS.
What about out-of-line scripts hosted on origins that the extension's CSP allows? I think we're currently blocking those as well.
Unassigning myself; let's be realistic about what I'm actually working on. :/
This issue was resolved with the patch for bug #144830.
(In reply to comment #4)
> This issue was resolved with the patch for bug #144830.
For completeness, the patch for bug #144830 did exempt user agent shadow DOM markup from CSP because such markup is used to implement browser features and is considered an implementation detail.
I marked this issue RESOLVED WONTFIX because I do not feel we should fix this bug as it encourages a bad idiom. I agree with Adam Barth's remarked in comment #1, we want extension authors to use scripts included in their extension bundle as opposed to programmatically injecting inline script that could make the page susceptible to an XSS vulnerability.