Proposal: content_security_policy.content_scripts
#95
Labels
implemented: firefox
Implemented in Firefox
neutral: safari
Not opposed or supportive from Safari
proposal
Proposal for a change or new feature
topic: csp
Related to content security policy enforcement
Comments
|
Chrome originally planned to provide a "content_scripts" field in the "content_security_pollicy", but decided not to for technical reasons. I'm out of the office for a bit, so unfortunately I won't be able to follow up on the details here for a couple weeks.
This isn't quite accurate. Content scripts run in an isolated world, but they still (mostly) abide by the host page's CSP. To my knowledge the only notable exception here is that extensions are able to inject resources from their own origins. It's also worth noting that content scripts have been subject to CORB since Chrome 73 and CORS since Chrome 83 (source). |
carlosjeurissen
added
the
topic: csp
xeenon
added
proposal
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Since
content_scriptsrun into a different context than the websites. They are not subject to the CSP of the website. To improve security, allow configuring / setting the CSP ofcontent_scriptsusingcontent_security_policy.content_scripts. This has been worked on By Mozilla already.The implementation by Mozilla is not limited to MV3 and is also supposed to work under MV2.
See:
Mozilla Bugzilla issue 1581608
Mozilla discourse discussion
Mozilla announcement
The text was updated successfully, but these errors were encountered: