CSP Error

[ValeryVS]

OS X
Firefox

With redux devtools enabled, I have CSP error in Firefox. Chrome extension works.

Content Security Policy: Параметры страницы заблокировали загрузку ресурса self («script-src»). Source: !function(t){function _webpack_require....

https://market.yandex.ru/

[ValeryVS]

Probably related
#411

[zalmoxisus]

It's related to https://bugzilla.mozilla.org/show_bug.cgi?id=1267027.

Some workarounds other extensions are exploring:

• Site CSP's prevent surrogates from being loaded. google-analytics on Twitter for example gorhill/uBlock#2823
• PB in Firefox causes CSP violation on sites that disallow script-src = self EFForg/privacybadger#1793
• Firefox no longer detecting MetaMask as installed MyCryptoHQ/MyCrypto#2061 (comment)
• Firefox CSP issue violentmonkey/violentmonkey#173

Another workaround is to include extension's injected script in our npm package, so you can include it directly for such cases.

[zalmoxisus]

I looked through the workarounds in the issues above, none suits our usecase. We cannot include clients scripts in the extension like ublock does, and providing a sha-code to be added on the client side would be the same as including the script from npm.

However, I see we still can inject the script from devpanel. The problem is that we need it to be done before the page is loaded, so we'll need to reload the page (probably adding a button for this case):

chrome.devtools.inspectedWindow.reload({ injectedScript: 'our page script here' })

This should go with our new pooling method planned for 3.0.

[zanona]

Hey @zalmoxisus, may I ask if there's any possible solution to get rid of that error in the logs as of today?
It's a shame Firefox display CSP issues from extensions as it can get in the way of development sometimes.
Thanks in advance.