Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency: content_security_policy syntax #96

Closed
3 tasks
carlosjeurissen opened this issue Oct 3, 2021 · 1 comment
Closed
3 tasks

Inconsistency: content_security_policy syntax #96

carlosjeurissen opened this issue Oct 3, 2021 · 1 comment
Labels
inconsistency Inconsistent behavior across browsers topic: csp Related to content security policy enforcement

Comments

@carlosjeurissen
Copy link
Contributor

carlosjeurissen commented Oct 3, 2021
edited
Loading

Classic syntax

There are two syntaxes for content_security_policy. First one is the classic syntax. Defined as a string under content_security_policy for extension pages. and under sandbox.content_security_policy for sandboxes.

Modern object syntax

The second and newer syntax uses an object notation. The object notation is as follows:

{
  "content_security_policy": {
      "extension_pages": "CSP for extension pages, equivalent to the old string notation",
      "sandbox": "CSP for sandbox, previously under sandbox.content_security_policy",
      "content_scripts": "CSP specifically for content scripts"
  }
}

Support

Currently, MV3 in browsers require the newer object notation. While MV2 requires the classic string syntax.

Firefox has proposed to support using the object notation in MV2 as well. See Firefox announcement.

A proposal to keep supporting the classic syntax in mv3 can be found here:
Crbug 1158786. Tho as mentioned in the issue report this might not be a welcome change.

Action items

  • Document in what browsers what syntaxes are supported under what manifest version
  • Consider supporting the object syntax in MV2 in other browsers than Firefox
  • Consider supporting the string syntax as alias for content_security_policy.extension_pages
@carlosjeurissen carlosjeurissen mentioned this issue Oct 3, 2021
Open
@carlosjeurissen carlosjeurissen changed the title content_security_policy syntax Inconsistency: content_security_policy syntax Oct 3, 2021
@xeenon xeenon added the inconsistency Inconsistent behavior across browsers label Oct 25, 2021
@carlosjeurissen
Copy link
Contributor Author

Conclusion:
Firefox supports the object syntax in MV2 nowadays.
There is no intend to support the object syntax in MV2 for other browsers. Also there is no need to support the string syntax for CSP as the manifest version clearly changes.

@Rob--W Rob--W mentioned this issue Feb 17, 2022
Merged
@carlosjeurissen carlosjeurissen added the topic: csp Related to content security policy enforcement label Apr 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
inconsistency Inconsistent behavior across browsers topic: csp Related to content security policy enforcement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xeenon @carlosjeurissen