XHR from content scripts should not be affected by page's CSP / Permissions-Policy (also, cross-browser inconsistencies) #730
Comments
github-actions
bot
added
needs-triage: chrome
hackademix
changed the title
|
SyncXHR for the extension's own blob URL should be allowed regardless of the policies/CSP i.e. |
|
As noted in the meeting, Firefox's MV3 behavior matches exactly the web page's behavior. I'm aware that Chrome made an effort to use the content script-specific CSP for several DOM APIs, including @oliverdunk is going to look into the kind of exceptions that Chrome has. From there we can decide whether we should enforce these exceptions more broadly across browsers. |
|
I was able to follow-up on this internally. Chrome's stance is that we have a content script CSP and therefore should follow it as closely as possible whenever feasible. This includes using the content script CSP for XHR and fetch and not applying the page CSP. Currently in Chrome, the content script CSP is always equivalent to the minimum MV3 CSP, regardless of any extension CSP specified in the manifest. We're open to supporting additional configuration in principle but aren't yet convinced this would be adopted. I don't have a full list of exceptions we have but hopefully this is enough to figure out a direction :) |
oliverdunk
removed
follow-up: chrome
|
I see comments mentioning only CSP, but in Chrome it is not a problem as noted in the issue description. It's Permissions-Policy/Feature-Policy for sync-xhr. Is this what @oliverdunk meant by "additional configuration"? If so, regarding "aren't yet convinced this would be adopted", I guess Chrome wouldn't want to add an exception to support a deprecated feature, but 1) it's possible that implementing such an exception would be trivial or at least much simpler than implementing a proper API to provide config synchronously and 2) it'd be removed shortly after that new API appears anyway. |
|
Thanks for asking that. The focus of our discussion in the meeting was if Firefox (and other browsers generally) should align with Chrome's behavior - I promised to follow-up on if this behavior is something we intended to keep so my response was based on that. I don't have an answer for if we would change the behavior of Permissions-Policy. I can try to follow up on that too but wanted to prioritize the second point on CSP which was flagged as harder to workaround :) |
|
Slightly tangiential, but |
Try inject https://maone.net/test/docpolicy/ with a MV3 content script trying to perform sync XHR to any origin (including the page itself):
Permissions-Policy: sync-xhr=()" (and by the deprecatedFeature-Policy: sync-xhr 'none';`, likely for retro-compat)Content-Security-Policy: connect-srcWhile n. 1 can be worked around, albeit in very hackish and expensive ways (here and there), n.2 cannot because of how CSP headers are merged in MV3 (no way to relax them narrowly and safely).
Of course we're talking about hacks to enable another hack (synchronous messaging through XHR), but so far proposed solutions (#539, #536, #284...) have been stalled mentioning the existence of this very hack (example, example) as an excuse, so please fix this issue at least.
The text was updated successfully, but these errors were encountered: