How to configure Content Security Policy in FF extension?

Add-ons Development
#1

Hello everyone,

As you may know, in Google Chrome, they have a configuration of Content Security Policy (CSP) in manifest.json file as below:

“content_security_policy”: “[POLICY STRING GOES HERE]”

This introduces some fairly strict policies that will make extensions more secure by default, and provides you with the ability to create and enforce rules governing the types of content that can be loaded and executed by your extensions and applications

I wonder if we have the same configuration or functionality in FF extension. In case we don’t have it in FF Extension, is it valid and possible to edit CSP by editing request header? Is it valid to set “security.csp.enable” to false? I mean they are still valid for auto-signing process or not.

Thanks,
Phuong Nguyen.

#2

CSP applies to web content. It isn’t directly relevant to an addon, which has an entirely different (higher) set of privileges. Are you trying to set CSP for a content script in an addon? Or something else? Maybe trying to enforce a stricter CSP policy on websites?

Firefox has its own content policy which may be better suited for restricting content in an addon:

#3

Thanks @Lithopsian for your help.

Actually, there is a header tag that can be added to http traffic from websites that will block execution of external JS. In this case, the content scripts of browser extension cannot be loaded to the websites.

As working around, I tried to turn off CSP by setting “security.csp.enable” to false from FF browser and saw that browser extension can work as usually. I wonder if I could use nslContentPolicy to resolve this issue for some specific websites. Could you know the SDK libraries which have the same functionality of nslContentPolicy?

Thank you so much.

#4

There isn’t an nsIContentPolicy equivalent for the SDK, though you can access it from SDK add-ons.

#5

Thanks @jorgev for your clarification.

Just one more question if you could know. I read that the command “jpm sign” will help to retrieve a Mozilla-signed .xpi file for current add-on and it will be ready for JPM version of 1.0.4. As I checked on JPM GitHub, current JPM version is 1.0.3 and I cannot find out what time version 1.0.4 is released. Could you or someone know when JPM version of 1.0.4 is released?

Thanks.