So, I had this error handling/reporting code in a WebExtension:
{ ... } catch (error) {
document.body.innerHTML = (`<h1>500</h1>${ error && error.message || '' }`);
}
prefixed with the comment
// inline scripts are not allowed (CSP, firefox), so this is not a security problem
The reviewer did not agree with that. My question is why. (I know how to avoid it, that’s not the point.)
I ask this because the Content Security Policy of WebExtensions in Firefox does disallow script-src 'unsafe-inline'
. The AMO reviews are only concerned with Firefox (and Fennec). So any kind of code injection (XSS) should be out of the picture, right?
As far as I see it, the worst thing that could happen is that an attacker could (visually) mess with my error page and include passive content fetches from their servers. Is that all (I think the developers should be allowed to decide if they permit that), or am I missing something?