Steps to reproduce
According to the CSP spec, CSP should not be enforced no extensions. Cite from https://w3c.github.io/webappsec-csp/#extensions:
Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets
Here’s an example to showcase the problem:
- Install Tampermonkey from https://www.microsoft.com/en-us/store/p/tampermonkey/9nblggh5162s
- Install GitHub Dark Script from https://github.com/StylishThemes/GitHub-Dark-Script/raw/master/github-dark-script.user.js
- Go to https://github.com and check the browser console, which logs this error:
Resource violated directive ‘script-src assets-cdn.github.com’ in Content-Security-Policy: inline script. Resource will be blocked.
Chrome and Firefox already implement CSP exclusion for Extension, so it’d be great if Edge would follow them too. For further reading, there’s also a Safari bug (1) and some discussion on the userscript’s issue tracker (2).
Comments and activity
- Microsoft Edge Team
Changed Assigned To to “Steven K.”
Changed Assigned To to “Sermet I.”
Changed Assigned To from “Sermet I.” to “Scott S.”
Changed Status to “Confirmed”