Bug on FF 77.0? Content Security Policy - The page’s settings is blocking the loading of an inline resource

Hi,
I have an add-on that I have developed, and I noticed that since firefox version 77.0, CSP is blocking my inline scripts at resource “script-src”.
This doesn’t reproduce on firefox version 76 or earlier, and I’ve read the release notes and I didn’t notice any changes that might affect the api.
Seems to me like there might be a bug on firefox.
Could anyone please check? (please check it on a page with csp for example: https://www.dropbox.com/)

I have attached below a very simple add-on that all it does is to empty all csp headers. You can see that on ff version 77.0 or later I get error message:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). commons.js:24:16

on previous ff version I don’t get this message

Here is the add-on to demonstrate it: https://drive.google.com/file/d/1gCPEgBRZB0WoTF-L_BnrGigvdiaHw-36/view?usp=sharing

Do you run any other extensions that might be modifying the CSP headers on the same response? I believe there was a very recent change related to how that situation is resolved: in short, the most restrictive headers win.

Yes, I’ve seen this change which is related to merging between multiple extensions which alter the same thing,
But no, I only have 1 extension installed.
If you’d like, you can try out the simple extension I provided, and just by running it alone, you will get the error message, and prior to version 77.0 this didn’t reproduce.

if the most restrictive headers win, that probably also includes the site’s headers, as in you can’t ease the CSP from an extension? Which would fit this issue?

but if you go to: https://www.dropbox.com/ without any extension installed, you will get this error message too. (again, on version 76 this didn’t happen)
I guess they have alter csp on their server also, but with no extension installed, there couldn’t be any collisions right?

Maybe setting the header to a blank value is not helpful for this header? You could try deleting it completely:

function onHeadersReceived(details) {
	var headers = details.responseHeaders;
	for(var i=0; i<headers.length; i++){
		if(headers[i].name.toLowerCase() == 'content-security-policy'){
			// remove this header
			headers.splice(i, 1);
			break;
		}
	}
    return { responseHeaders: headers };
}

Using splice() to remove the header was inspired by: https://github.com/cielavenir/ctouch/blob/master/undisposition/undisposition_bg.js (BSD)

Thank you for your suggestion,
I tested it and using splice really makes the error messages not to show.
But this doesn’t really fix the problem I was talking about.
My extension alters the csp, and not just clears it, so I added a link to another simple extension that I made that just adds ‘unsafe-inline’ to the ‘script-src’ resource and the problem persists:

This is probably about

Thanks a lot for the reference! :grinning:
I checked it now with my extension and it seems to have fixed it