Extension should be exempt from a site's Content Security Policy (CSP)

Duplicate Issue #11320214 • See Issue #11320212

Details

Author
Roman R.
Created
Mar 18, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
  • Safari
Duplicates
See progress on Bug #11320212
Found in build #
14.14393
Reports
Reported by 3 people

Sign in to watch or report this issue.

Steps to reproduce

According to the spec, CSP should not be enforced on extension resources. Cite from the spec:

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets. These kinds of features generally advance the user’s priority over page authors.

Here’s an example to showcase the problem:

  1. Install Tampermonkey and enable it.
  2. Install GitHub Dark Script.
  3. Go to github.com and check the browser console, which logs this error:
CSP14312: Resource violated directive 'script-src assets-cdn.github.com'
in Content-Security-Policy: inline script. Resource will be blocked.

Chrome and Firefox already implement CSP exclusion for extension, so it’d be great if Edge would follow them too. For further reading, there’s also a Safari bug and some discussion on the userscript’s issue tracker.

Attachments

0 attachments

    Comments and activity

    • Changed Steps to Reproduce

      Changed Steps to Reproduce

      Changed Steps to Reproduce

      Changed Steps to Reproduce

      Changed Steps to Reproduce

      Changed Steps to Reproduce

      Changed Steps to Reproduce

      Changed Steps to Reproduce

      Changed Steps to Reproduce

      Changed Steps to Reproduce

      Changed Steps to Reproduce

      Changed Steps to Reproduce

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

      Changed Status to “Duplicate”

    • Hello,

      Thank you for providing this information about the issue. We are currently investigating this problem in ticket #11320212. We will provide updates there.

      Best Wishes,

      The MS Edge Team

    You need to sign in to your Microsoft account to add a comment.

    Sign in