Content Security Policy: The page’s settings blocked the loading of a resource at

maksam07 · December 3, 2021, 12:44pm

Help, please, correctly register the addresses for the libraries. For the plugin I need the bootstrap and jquery library. When I try to connect them from the official sources, I get errors:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). 4 moz-extension
Content Security Policy: The page’s settings blocked the loading of a resource at https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://code.jquery.com/jquery-3.6.0.min.js (“script-src”).

Tried to fix them by prescribing Content-Security-Policy, but something failed to load

freaktechnik · December 3, 2021, 1:33pm

Add-ons must be self-contained and not load remote code for execution.

You should bundle all libraries your extension uses directly with the extension. See also https://extensionworkshop.com/documentation/publish/add-on-policies/#development-practices

(that’s not why you’re getting this error, but the real fix is to follow this policy)

Also, you can’t have inline JS (so no <script>code here</script> and onevent HTML properties)

maksam07 · December 3, 2021, 1:43pm

My extension was approved and there were no problems for a while. Mozilla recently denied approval, reason:

Established libraries must be included from their official source, in their original format without any modification (changing the file name does not matter). Please note that only stable releases are acceptable (not beta, pre, RC, dev etc) and that third party CDNs are not considered official sources.

I do not know what to do. Mozilla support sent me to this forum

freaktechnik · December 3, 2021, 1:44pm

You need to download these files and include them in your XPI directly/reference them relatively instead of the version on the CDN.

maksam07 · December 3, 2021, 1:50pm

This is what I did initially. These files were loaded in their original form into my extension and were connected in this way:
– link rel=“stylesheet” href=“static/css/bootstrap.min.css”
– script src=“static/js/bootstrap.bundle.min.js”
– script src=“static/js/jquery-3.5.1.min.js” defer

freaktechnik · December 3, 2021, 2:29pm

That seems fine, assuming those were the official releases. It is possible your versions got too old and had security vulnerabilities, for example. In general, I’d recommend checking with the linter (for example with web-ext lint but also the errors/warnings when uploading) if it recognizes the library. It should always recognize jquery, not sure about bootstrap.

By the way, if you want to include HTML examples, make sure to use code blocks (the </> icon in the editor, or just markdown if you’re familiar).

maksam07 · December 3, 2021, 1:57pm

I think I figured out what the problem is. I used the beta version of the bootstrap library. Probably need to use the release one. I just don’t understand how the plugin was approved 7 months ago.

freaktechnik · December 3, 2021, 1:59pm

Extensions can be rejected at any time after upload, since human reviews are not done before it gets distributed (see the intro at https://extensionworkshop.com/documentation/publish/what-does-review-rejection-mean-to-users/ )

maksam07 · December 3, 2021, 2:01pm

Thanks for answers. I will try now to use other versions of the libraries and send them for review. Then community what happened