[Blog post] Test the new Content Security Policy for Content Scripts

Hi all,

As part of our efforts to make add-ons safer for users, and to support evolving manifest v3 features, we are making changes to apply the Content Security Policy (CSP) to content scripts used in extensions.

You can see how your extension will be affected by testing this feature in Nightly or Beta. For more information, please see the Add-ons Blog.

1 Like

I may have just missed it, but what’s the CSP for content scripts with this change? The same as the one that currently applies to extension pages by default? And what does no remote scripts mean for content scripts? Since content scripts aren’t really html pages… Or is it that they can’t inject script tags that load a script from remote resource?

The same as the one that currently applies to extension pages by default?

Yes, it is currently the same as applied to extension pages. That will change soon.

And what does no remote scripts mean for content scripts?

When the above mentioned change happens, loosening the default CSP will not allow the addition of accessing remote resources via e.g. http and ftp.

Drawing attention to this, from the blog post:

… upcoming changes to disallow remote scripts. …

I suspect that despite the early warning, it will take a few developers by surprise.

At and under https://bugzilla.mozilla.org/show_bug.cgi?id=1594234#c0:

Developers can no longer use CSP directives that enable remotely hosted code (code that is not bundled with the extension). Manifests that include such directives will error at parse time. …

This will require two sets of csp defaults, one for v2 and one for v3. As well, if bug 1594235 is implemented, we’ll need a separate set for that.

– Mozilla bug 1594235 - consider supporting content_security_policy.sandbox


Via https://bugzilla.mozilla.org/showdependencytree.cgi?id=1581608&hide_resolved=0:

If https://bugzilla.mozilla.org/show_bug.cgi?id=1578284#c2 is misplaced, please hide or delete it.

HTH