CSP of a page applies to websockets in extensions content scripts

Duplicate Issue #8074732 • See Issue #8074756


Jul 4, 2016
This issue is public.
See progress on Bug #8074756
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

  1. Load the test extension attached.
  2. Navigate to some https site that sets CSP. Examples: https://gist.github.com, https://ya.ru.
  3. Open developer tools (F12), select Console.
  4. Reload the site.

Expected: the extension should create a XHR and a WebSocket and print 'XHR is created and sent’, ‘Websocket is created’ to the console.

Actual: the extension creates a XHR but cannot create a WebSocket with the error message

CSP14312: Resource violated directive 'connect-src 'self' ...skipped...' in Content-Security-Policy: wss://echo.websocket.org/. Resource will be blocked.

There are several reasons why this behaivour looks like a bug:

  1. Inconsistent handling of XHRs and WebSockets. CSP of the page is applied to Websockets but not to XHRs.

  2. According to https://developer.chrome.com/extensions/contentSecurityPolicy#interactions

    Content scripts are generally not subject to the CSP of the extension. …skipped… Additionally, the CSP of the page does not apply to content scripts.

  3. The test extension works in Chrome (51.0.2704.106). To be fair Firefox (49.0a2) has the same issue as Edge.

Microsoft Edge 38.14379.0.0
Microsoft EdgeHTML 14.14379


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Ibrahim O.”

      Changed Status to “Duplicate”

    • This bug has marked as duplicate. Please follow the [parent issue]((…/8074756/) to get new updates.

    You need to sign in to your Microsoft account to add a comment.

    Sign in