Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP injectScript warning #2941

Closed
bravecrayon opened this issue Jan 23, 2024 · 1 comment
Closed

CSP injectScript warning #2941

bravecrayon opened this issue Jan 23, 2024 · 1 comment
Labels
bug duplicate Firefox

Comments

@bravecrayon
Copy link

In FireFox 123.0b1 on a site with CSP script-src set to 'self' I see this in the console:

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). utils.js:42:10

That is this line. Why is it trying to inject a <script> tag? Also, could a site easily evade whatever PrivacyBadger is trying to do here with a specifically crafted CSP?
@ghostwords
Copy link
Member

ghostwords commented Jan 23, 2024
edited
Loading

Thanks for reaching out!

This is a bug in Firefox where the browser fails to override site CSPs for page context ("main world") scripts injected by extension content scripts.

This will be fixed when Firefox fixes their bug, or when we will change the way we inject into page contexts.

Privacy Badger injects page context scripts for things like click-to-activate widget placeholders, DNT/GPC signals in JavaScript, and denying JavaScript cookie access to "cookie-blocked" ("yellowlisted") domains. Core tracker blocking functionality is not affected.

Closing as a duplicate of #1793.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug duplicate Firefox
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ghostwords @bravecrayon