Loading of script resource blocked despite appropriate Content Security Policy

Add-ons Add-on Support
#1

Hello!

We are porting a Chrome extension over to Firefox but are facing a bit of difficulty understanding the error below when attempting to load the addon’s popup.

The error is:

Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:3000/js/background.bundle.js (“script-src moz-extension://f75eb895-35f3-4b46-8ca4-41f60a168587 https://* moz-extension: blob: filesystem: ‘unsafe-eval’ ‘unsafe-inline’”). (unknown)

Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:3000/js/background.bundle.js (“script-src moz-extension://f75eb895-35f3-4b46-8ca4-41f60a168587”). (unknown)

For context, all of the extension code is provided by webpack in a special developer mode on localhost:3000. This works great in Chrome but fails in Firefox and I haven’t been able to work out why so far. Here is the value of the content_security_policy directive in our developer-mode manifest file:

"content_security_policy": "default-src 'self'; script-src 'self' http://localhost:3000 https://localhost:3000 'unsafe-eval'; connect-src *; style-src * 'unsafe-inline' 'self' blob:; img-src 'self' data:; font-src 'self' data:;"

Is this a bug or a divergence in behaviour from Chrome? How can it be fixed?

#2

UPDATE

It seems that the documentation states that remote sources must use the https: scheme. After making changes to the code so it loads assets from https://localhost:3000, I now get the following error:

localhost:3000 uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

Error code: SEC_ERROR_UNKNOWN_ISSUER
(unknown)

How do I instruct the browser to ignore this?

#3

You don’t make it ignore this error, you make it trust your cert https://vimeo.com/231286386?activityReferer=1

Also please tell me if it worked since I also have some issiues with some WebExtension and CSP :smiley:

PS: Thank you for porting your Chrome extension to Firefox :smiley:

#4

You don’t make it ignore this error, you make it trust your cert

Thanks for your reply, Andrei.

I can confirm that adding an exception for https://localhost:3000 in the Servers tab of the Certificate Manager worked.

1 Like