This introduces some fairly strict policies that will make extensions more secure by default, and provides you with the ability to create and enforce rules governing the types of content that can be loaded and executed by your extensions and applications
I wonder if we have the same configuration or functionality in FF extension. In case we don’t have it in FF Extension, is it valid and possible to edit CSP by editing request header? Is it valid to set “security.csp.enable” to false? I mean they are still valid for auto-signing process or not.
CSP applies to web content. It isn’t directly relevant to an addon, which has an entirely different (higher) set of privileges. Are you trying to set CSP for a content script in an addon? Or something else? Maybe trying to enforce a stricter CSP policy on websites?
Actually, there is a header tag that can be added to http traffic from websites that will block execution of external JS. In this case, the content scripts of browser extension cannot be loaded to the websites.
As working around, I tried to turn off CSP by setting “security.csp.enable” to false from FF browser and saw that browser extension can work as usually. I wonder if I could use nslContentPolicy to resolve this issue for some specific websites. Could you know the SDK libraries which have the same functionality of nslContentPolicy?
Just one more question if you could know. I read that the command “jpm sign” will help to retrieve a Mozilla-signed .xpi file for current add-on and it will be ready for JPM version of 1.0.4. As I checked on JPM GitHub, current JPM version is 1.0.3 and I cannot find out what time version 1.0.4 is released. Could you or someone know when JPM version of 1.0.4 is released?