CSP of a page blocks websockets in extensions content scripts

Won’t fix Issue #8074756


Sergey K.
Jul 4, 2016
This issue is public.
Found in
  • Microsoft Edge
Found in build #
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

  1. Load the test extension attached.
  2. Navigate to some https site that sets CSP. Examples: https://gist.github.com, https://ya.ru.
  3. Open developer tools (F12), select Console.
  4. Reload the site.

Expected: the extension should create a XHR and a WebSocket and print 'XHR is created and sent’, ‘Websocket is created’ to the console.

Actual: the extension creates a XHR but cannot create a WebSocket with the error message

CSP14312: Resource violated directive 'connect-src 'self' ...skipped...' in Content-Security-Policy: wss://echo.websocket.org/. Resource will be blocked.

There are several reasons why this behaivour looks like a bug:

  1. Inconsistent handling of XHRs and WebSockets. CSP of the page is applied to Websockets but not to XHRs.

  2. According to https://developer.chrome.com/extensions/contentSecurityPolicy#interactions

    Content scripts are generally not subject to the CSP of the extension. …skipped… Additionally, the CSP of the page does not apply to content scripts.

  3. The test extension works in Chrome (51.0.2704.106). To be fair Firefox (49.0a2) has the same issue as Edge.

Microsoft Edge 38.14379.0.0
Microsoft EdgeHTML 14.14379


Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Ibrahim O.”

    Changed Assigned To to “Sermet I.”

    Changed Assigned To from “Sermet I.” to “Scott S.”

    Changed Status to “Confirmed”

  • The Edge team is investigating.

  • Microsoft Edge Team

    Changed Status from “Confirmed” to “Won’t fix”

  • Hi!

    Currently, we are only servicing security bugs for EdgeHTML as we make the shift to the new Chromium Edge therefore we have resolved this issue as "Won’t Fix". Thank you for taking the time to report this issue.


You need to sign in to your Microsoft account to add a comment.

Sign in