CSP of a page blocks websockets in extensions content scripts

Confirmed Issue #8074756 • Assigned to Scott S.

Details

Author
Sergey K.
Created
Jul 4, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
14.14379
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

  1. Load the test extension attached.
  2. Navigate to some https site that sets CSP. Examples: https://gist.github.com, https://ya.ru.
  3. Open developer tools (F12), select Console.
  4. Reload the site.

Expected: the extension should create a XHR and a WebSocket and print 'XHR is created and sent’, ‘Websocket is created’ to the console.

Actual: the extension creates a XHR but cannot create a WebSocket with the error message

CSP14312: Resource violated directive 'connect-src 'self' ...skipped...' in Content-Security-Policy: wss://echo.websocket.org/. Resource will be blocked.

There are several reasons why this behaivour looks like a bug:

  1. Inconsistent handling of XHRs and WebSockets. CSP of the page is applied to Websockets but not to XHRs.

  2. According to https://developer.chrome.com/extensions/contentSecurityPolicy#interactions

    Content scripts are generally not subject to the CSP of the extension. …skipped… Additionally, the CSP of the page does not apply to content scripts.

  3. The test extension works in Chrome (51.0.2704.106). To be fair Firefox (49.0a2) has the same issue as Edge.

Microsoft Edge 38.14379.0.0
Microsoft EdgeHTML 14.14379

Attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Ibrahim O.”

    Changed Assigned To to “Sermet I.”

    Changed Assigned To from “Sermet I.” to “Scott S.”

    Changed Status to “Confirmed”

  • The Edge team is investigating.

You need to sign in to your Microsoft account to add a comment.

Sign in