Inconsistency in default warning Content Security Policy Script

[stefanvd]

When converting my Chrome extension to a Firefox Extension Manifest V3 and using the same Manifest.json file, it shows me a warning that I need to add worker-src 'self'. While it works just fine in the Google Chrome web browser.
In Firefox, I added worker-src 'self' inside the content_security_policy code in my Manifest.json file, and the warning was removed.

Screenshots of the issue

Chrome Manifest.json

  "content_security_policy": {
    "extension_pages": "default-src 'none'; style-src 'self'; media-src https://www.turnoffthelights.com; child-src https://www.youtube.com https://www.turnoffthelights.com; connect-src https://www.turnoffthelights.com; script-src 'self'; img-src 'self' https://www.turnoffthelights.com * data:; object-src 'none'"
  },

Firefox Manifest.json

  "content_security_policy": {
    "extension_pages": "default-src 'none'; style-src 'self'; media-src https://www.turnoffthelights.com; child-src https://www.youtube.com https://www.turnoffthelights.com; connect-src https://www.turnoffthelights.com; script-src 'self'; img-src 'self' https://www.turnoffthelights.com * data:; object-src 'none'; worker-src 'self'"
  },

Conclusion:

All web browsers must establish a uniform default security standard for their Content Policy. This ensures the prevention of issues where the security of one content script differs and is more relaxed in another web browser. Setting a consistently robust security baseline is imperative for a secure web browser.

Resources:

• Turn Off the Lights Firefox extension
  https://github.com/turnoffthelights/Turn-Off-the-Lights-Firefox-extension-WebExtensions/blob/master/src/manifest.json
• Turn Off the Lights Chrome extension
  https://github.com/turnoffthelights/Turn-Off-the-Lights-Chrome-extension/blob/manifest-v3/src/manifest.json

[carlosjeurissen]

In CSP, worker-src is supposed to fall back to child-src if present. Else fall back to script-src if present, else fall back to default-src.

In the case of the CSP you use for Turn off the lights. This means worker-src will end up using the child-src value which is set to https://www.youtube.com https://www.turnoffthelights.com.

Is there any reason you are not using frame-src instead of child-src? Replacing child-src with frame-src would mean worker-src will start using the value of script-src.

As a last note, having worker-src set to self would not hurt in Chrome. So you could simply use the same CSP value. If you are not using any workers you can even set it to none.

Discussion about the default CSP can be found here: #98

[stefanvd]

The reason why I use child-src is because I have a welcome guide (online page) and inside there is a video player (for one of these domains).

I try to keep my code the same across all platforms. Therefore, your suggestion worker-src 'none' is a good point to add it in all my browser extensions.

[carlosjeurissen]

@stefanvd for that you can simply use frame-src instead. Pretty sure you can also remove the YouTube source as it is not a direct subframe of your extension.

Is there anything specific for this group to talk about?

[stefanvd]

@carlosjeurissen I used frame-src before; at that time, it was "deprecated". Because of this, I continued to use child-src.

frame-src was deprecated in level 2, but is restored in level 3. If not present it still falls back to child-src as before.

Source https://web.dev/articles/csp#:~:text=frame%2Dsrc%20was%20deprecated%20in%20level%202%2C%20but%20is%20restored%20in%20level%203.%20If%20not%20present%20it%20still%20falls%20back%20to%20child%2Dsrc%20as%20before.

Should not child-src be the recommended option for future use?

[carlosjeurissen]

@stefanvd I would suggest to use frame-src instead. As you mentioned it is nolonger deprecated. And it seems you do not need worker-src. So there is no benefit of using child-src.

Again is there anything specific for this group to talk about?

[Rob--W]

These are informative warnings for developers, not fatal errors that prevent the extension from loading.

In practice, due to several efforts, including #98 and #204, the CSP handling is now quite uniform. Chrome and Firefox both enforce the CSP by enforcing a minimum CSP (effectively script-src 'self'), and then applies whatever the extension specifies on top of it. This minimum enforced CSP is a hardening measure to counter CSP validation bypasses (which happened in the past in Chrome, e.g. https://crbug.com/1042963).

Like Carlos mentioned before, you should have used frame-src instead of child-src here. Because the directive precedence is worker-src < child-src < script-src, Firefox rightfully warns about the child-src directive being rejected, because accepting child-src would imply that workers would be permitted to run code. Chrome does not warn because its validator does not account for child-src in the context of workers, but that initial validator bypass is mitigated by the enforcement of the "minimum CSP" that I described before. If anyone wanted to rely on this (i.e. loading a remote worker in Chrome), then the load would be blocked and an appropriate warning about the CSP will be displayed in the console.

I'm closing this issue because there are no actionable items for the WECG here.