Extensions should be exempt from a site's Content Security Policy (CSP)

Fixed Issue #11320212


Roman R.
Mar 18, 2017
This issue is public.
Fixed in build #
Reported by 8 people

Sign in to watch or report this issue.

Steps to reproduce

According to the CSP spec, CSP should not be enforced no extensions. Cite from https://w3c.github.io/webappsec-csp/#extensions:

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets

Here’s an example to showcase the problem:

  1. Install Tampermonkey from https://www.microsoft.com/en-us/store/p/tampermonkey/9nblggh5162s
  2. Install GitHub Dark Script from https://github.com/StylishThemes/GitHub-Dark-Script/raw/master/github-dark-script.user.js
  3. Go to https://github.com and check the browser console, which logs this error:

Resource violated directive ‘script-src assets-cdn.github.com’ in Content-Security-Policy: inline script. Resource will be blocked.

Chrome and Firefox already implement CSP exclusion for Extension, so it’d be great if Edge would follow them too. For further reading, there’s also a Safari bug (1) and some discussion on the userscript’s issue tracker (2).

(1) https://bugs.webkit.org/show_bug.cgi?id=149000
(2) https://github.com/StylishThemes/GitHub-Dark-Script/issues/13


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

      Changed Assigned To to “Sermet I.”

      Changed Assigned To from “Sermet I.” to “Scott S.”

      Changed Status to “Confirmed”

    • Our extension, 1Password, is also affected by this. It would be nice to know if there’s any progress on this.

    • I’m also affected by this. Until fixed, I found this work-around to modify the CSP itself with WebRequest: https://stackoverflow.com/questions/47326095/edge-extension-requesting-json-doesnt-work

      It works for me, but I would really like to avoid doing this.

    • Microsoft Edge Team

      Changed Status from “Confirmed” to “In code review”

      Changed Status from “In code review” to “Fixed”

    • Hello,

      Thank you for providing this information about the issue. We are pleased to report this feature is fixed in Edge and will be available in an upcoming insider build.

      Best Wishes,
      The MS Edge Team

    • Hi James,

      On behalf of the AgileBits team, thank you and your team for fixing this. I can confirm it is working great and 1Password can now fill on sites like Github.com in the latest Windows 10 Insider builds.

    • Facing this issue with Bitwarden too: https://github.com/bitwarden/browser/issues/509

      Does “Fixed, not yet flighted” mean that "no insider builds have been released", or "no public Edge releases have been released"?

    • This is fixed in Windows 1803, aka the April 2018 update.

    You need to sign in to your Microsoft account to add a comment.

    Sign in