Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency: CSP for inline web page elements added by extension #337

Open
lapcat opened this issue Dec 18, 2022 · 1 comment
Open

Inconsistency: CSP for inline web page elements added by extension #337

lapcat opened this issue Dec 18, 2022 · 1 comment
Labels
inconsistency Inconsistent behavior across browsers topic: csp Related to content security policy enforcement

Comments

@lapcat
Copy link

lapcat commented Dec 18, 2022

I've looked at the other issues, and I don't think this one is covered yet, but please correct me if I'm wrong.

Summary: Inline script and style elements added to the web page by the extension's content script are governed by the extension's Content Security Policy in Chrome but governed by the web page's Content Security Policy in Firefox and Safari.

I've tested on macOS with Google Chrome 108.0.5359.124, Safari 16.2, and Firefox Developer Edition 109.0b3 (because regular Firefox doesn't yet support extension manifest V3). I performed 2 sets of tests: (1) with the browser's default CSP and (2) with a custom page CSP style-src 'none'; script-src 'none'. The extension content script adds inline style and script elements to the web page:

const style = document.createElement("style");
style.appendChild(document.createTextNode("p { background-color: yellow; }"));
document.head.appendChild(style);

const script = document.createElement("script");
script.appendChild(document.createTextNode("window.alert('content script');"));
document.head.appendChild(script);

By default, all 3 web browsers allow the inline style to apply to the web page. Firefox and Safari also allow the inline script to execute on the web page. Chrome refuses to execute the inline script with manifest V3 and allows the inline script to execute with MV2.

With the restrictive page CSP, all 3 browsers refuse to execute the inline script. Firefox and Safari also refuse to allow the inline style. However, Chrome continues to allow the inline style with the page CSP style-src 'none'.

I've attached a sample extension.
CSPTest.zip

The extension files are in the folder CSPTest/Shared (Extension)/Resources/. Most of the other files in the attachment are to allow building and running the extension with Safari.

To run the 1st test: cd CSPTest; python3 -m http.server and then load http://localhost:8000/

To run the 2nd test: cd CSPTest; python3 csp.py and then load http://localhost:8000/
@birtles
Copy link

birtles commented Dec 19, 2022

I've filed a related issue on Safari but in that case the Chrome and Firefox behavior agree: https://bugs.webkit.org/show_bug.cgi?id=232781

@Rob--W Rob--W added the topic: csp Related to content security policy enforcement label Jan 5, 2023
@Rob--W Rob--W mentioned this issue Jan 5, 2023
Merged
@xeenon xeenon added inconsistency Inconsistent behavior across browsers and removed needs-triage labels Jan 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
inconsistency Inconsistent behavior across browsers topic: csp Related to content security policy enforcement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lapcat @xeenon @birtles @Rob--W