Steps to reproduce
- Load the test extension attached.
- Navigate to some https site that sets CSP. Examples: https://gist.github.com, https://ya.ru.
- Open developer tools (F12), select Console.
- Reload the site.
Expected: the extension should create a XHR and a WebSocket and print 'XHR is created and sent’, ‘Websocket is created’ to the console.
Actual: the extension creates a XHR but cannot create a WebSocket with the error message
CSP14312: Resource violated directive 'connect-src 'self' ...skipped...' in Content-Security-Policy: wss://echo.websocket.org/. Resource will be blocked.
There are several reasons why this behaivour looks like a bug:
Inconsistent handling of XHRs and WebSockets. CSP of the page is applied to Websockets but not to XHRs.
Content scripts are generally not subject to the CSP of the extension. …skipped… Additionally, the CSP of the page does not apply to content scripts.
The test extension works in Chrome (51.0.2704.106). To be fair Firefox (49.0a2) has the same issue as Edge.
Microsoft Edge 38.14379.0.0
Microsoft EdgeHTML 14.14379
Comments and activity
- Microsoft Edge Team
Changed Assigned To to “Ibrahim O.”
Changed Assigned To to “Sermet I.”
Changed Assigned To from “Sermet I.” to “Scott S.”
Changed Status to “Confirmed”
The Edge team is investigating.