Extensions should be exempt from a site's Content Security Policy (CSP)

Confirmed Issue #11320212 • Assigned to Scott S.

Details

Author
Roman R.
Created
Mar 18, 2017
Privacy
This issue is public.
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

According to the CSP spec, CSP should not be enforced no extensions. Cite from https://w3c.github.io/webappsec-csp/#extensions:

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets

Here’s an example to showcase the problem:

  1. Install Tampermonkey from https://www.microsoft.com/en-us/store/p/tampermonkey/9nblggh5162s
  2. Install GitHub Dark Script from https://github.com/StylishThemes/GitHub-Dark-Script/raw/master/github-dark-script.user.js
  3. Go to https://github.com and check the browser console, which logs this error:

Resource violated directive ‘script-src assets-cdn.github.com’ in Content-Security-Policy: inline script. Resource will be blocked.

Chrome and Firefox already implement CSP exclusion for Extension, so it’d be great if Edge would follow them too. For further reading, there’s also a Safari bug (1) and some discussion on the userscript’s issue tracker (2).

(1) https://bugs.webkit.org/show_bug.cgi?id=149000
(2) https://github.com/StylishThemes/GitHub-Dark-Script/issues/13

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

      Changed Assigned To to “Sermet I.”

      Changed Assigned To from “Sermet I.” to “Scott S.”

      Changed Status to “Confirmed”

    You need to sign in to your Microsoft account to add a comment.

    Sign in