I was looking over an extension installed from Mozilla add-ons area, and noticed a CSP violation in the extension console. The truth is I wasn’t looking to examine the extension’s code but wanted to know what can be seen in an installed extension versus what I can see in my temporarily loaded extension as I work on it; and I noticed this error.
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).
The error is at the line below that returns the new function. Does this mean that the extension is attempting to load and run an external script?
var nativePromiseInstanceAndProto = (function () {
try {
// Be able to patch native async functions
return new Function("let F=async ()=>{},p=F();return [p,Object.getPrototypeOf(p),Promise.resolve(),F.constructor];")();
}
catch (e) {
var P = _global.Promise;
return P ?
[P.resolve(), P.prototype, P.resolve()] :
[];
}
})();
There are two eval in the background script.
var nodeWrap = function nodeWrap(method) {
var crypto = eval("require('crypto')");
var Buffer = eval("require('buffer').Buffer");
var nodeMethod = function nodeMethod(message) {
if (typeof message === 'string') {
return crypto.createHash('sha1').update(message, 'utf8').digest('hex');
} else if (message.constructor === ArrayBuffer) {
message = new Uint8Array(message);
} else if (message.length === undefined) {
return method(message);
}
return crypto.createHash('sha1').update(new Buffer(message)).digest('hex');
};
return nodeMethod;
};
I don’t understand most of the code and am not implying that someone is attempting to do something wrong. That error just sounds like something that would not be permitted in an approved extension.
Thank you.