Trying to retrofit our working chrome web extension to work in Firefox (Development Edition v50.0a2). When we run the existing extension, we’re met with this error:
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src moz-extension://60027548-2e95-43be-976a-1d67236b301a”).
Using a background HTML page specified in the manifest like so:
Removing the one referencing jQuery allows the extension to be loaded without the error, so we’re currently assuming that is the issue. However, the extension currently relies on it to function properly.
I had a problem using the CSP in Firefox too (worked in Chrome). In the end I decided to simply avoid it.
I think your extension won’t pass the review if it loads external code into privileged contexts, so you should include an offline copy of jQuery anyway.
Thanks. However, the issue is that I’m actually attempting to load jQuery locally from the web extension, as shown in the script tags above.
There is also no way to “avoid” the usage of the CSP, since even if you do not specify one, a default (and very restrictive) one is used. This is the purpose of us using the one that we do. And again, since it works in Chrome just fine, I’m assuming this is an issue with Firefox, or a major discrepancy between the two implementations I’ve yet to comprehend.
Perhaps I’m missing something (again), but another fun fact to add to my response above…
Mozilla states that they do support referencing remote scripts through the very use of the CSP, so even if I elected to reference jQuery from a respected CDN, I should be able to:
Removing the jQuery reference appears to keep the error from cropping up.
Our CSP must remain intact for reasons specific to the web extension in question.
We’re not adding anything in the CSP that should cause any issues here. I fear we actually might be omitting something which the Firefox Web Extension implementation requires. I just cannot figure out what that might be.
The only permitted schemes for sources are: blob:, filesystem:, moz-extension:, and https:.
And yes, when I remove the jQuery script, the error disappears. When I load a page which triggers the web extension, I’m seeing it progress past that initial error, and on to yet another CSP-related error. This one relating to a remote script we’re trying to load. And yes, this remote URL should also be allowed, since we’re specifying it in the CSP.
Can you (and does it help to) XHR to your locahost (or maybe some some domain that resolves to 127.0.0.1, e.g. http://42foo.com/) if you list it as permission?
This has no effect. The address resolution doesn’t even come into play when I simply attempt to load the web extension into Firefox. It is a simple matter of Firefox not allowing jQuery to load locally, from the extension.
The idea was that maybe you don’t need the CSP anymore if you XHR for your local resources; which, for some wiered reason, would fix the problem with jQuery, wouldn’t it?
For those interested, the version of jQuery in question is v1.10.2. Updating to the latest v2 (2.2.4) addresses this particular issue. Firefox allows it to load without issue.
However, the issue still remains that the “content_security_policy” in the manifest is completely ignored. Once we were able to move past the original issue with jQuery, we are still met with scripts being blocked from remote sources, even though the URLs are being served over HTTPS, and are included in the “content_security_policy” key in the manifest.
The question remains. Where is this being blocked? Where is this default CSP coming from? We are assuming this is either a bug at this point, or proper support for the CSP key has yet to be implemented or honored elsewhere. So, the only thing left to do at this point is to file a bug against this specific issue.
In the interest of helping others - As mentioned in the bug I entered, it is a matter of “moz-extension:” existing in the CSP without an actual host. Once this is removed, the CSP is accepted in full, and the remote script can be requested fine.