If web site provided Content Security Policy, extension's content scripts are affected by web site's policies.

Confirmed Issue #11076023 • Assigned to Scott S.

Details

Author
Tomohito Y.
Created
Feb 25, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
15.15042
Reports
Reported by 4 people

Sign in to watch or report this issue.

Steps to reproduce

If web site provided Content Security Policy, extension’s content scripts are affected by web site’s policies.

  1. Open CSP enabled Web site (ex. https://github.com/MicrosoftEdge
  2. Open Console in F12
  3. Switch Target “Extension: …” (Change scope to content script)
  4. Execute below JavaScript code.
var url = URL.createObjectURL(new Blob(['Hello!Konnichiwa'], {type:'text/plain'}));
var xhr = new XMLHttpRequest();
xhr.open('GET', url);
xhr.onload = () => console.log(xhr.response);
xhr.onerror = () => console.log('Error');
xhr.send()
  1. Receive a result
  • Expected(Google Chrome): Hello! Konnichiwa
  • Actual(Microsoft Edge): Error with Warning CSP14312
CSP14312: Resource violated directive 'connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com' in Content-Security-Policy: blob:958866E0-E4C5-452E-85A1-DB7E7E48B1FB. Resource will be blocked.

Attachments

0 attachments

    Comments and activity

    • Changed Steps to Reproduce

      Changed Steps to Reproduce

    • Microsoft Edge Team

      Changed Assigned To to “Chee C.”

      Changed Assigned To to “Sermet I.”

      Changed Assigned To from “Sermet I.” to “Scott S.”

      Changed Status to “Confirmed”

    You need to sign in to your Microsoft account to add a comment.

    Sign in