Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firefox content script not loading in some pages

Context

I am currently working on a browser extension which is working as expected with Chrome and Opera but I am facing issues with Firefox. Here is a minimal version of manifest.json needed to reproduce the problem:

{
    "name": "Example",
    "version": "0.0.1",
    "author": "Pyves",
    "content_scripts": [
        {
            "all_frames": true,
            "matches": [
                "<all_urls>"
            ],
            "js": [
                "content.js"
            ]
        }
    ],
    "manifest_version": 2
}

And here is the related content.js:

console.log("Content script loaded");

Issue

Content script loaded is systematically logged regardless of the visited page when using Chrome and Opera. Nevertheless, the content script doesn't seem to load in some pages when using Firefox, for instance raw GitHub pages such as the following: https://raw.githubusercontent.com/badges/shields/master/README.md

There are no error messages in the Firefox console stating why the content script was not executed on that particular page.

Questions

  • Why is the Firefox extension unable to load the content script into some pages?

  • What changes need to be made so that the extension works consistently on all browsers?

like image 249
Pyves Avatar asked Dec 03 '17 19:12

Pyves


1 Answers

I finally figured out why the extension's content script is not loading in some pages when using Firefox.

After analysing the requests with the Network developer tools, it turns out that the following headers are returned when getting GitHub raw pages:

Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox

According to the MDN Web Docs, the sandbox CSP directive has the following effect:

enables a sandbox for the requested resource [...]. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.

Therefore Firefox is preventing extensions from executing content scripts in pages with the sandbox CSP, whereas other browsers such as Chrome and Opera do allow this behaviour. Related bug reports in Mozilla's Bugzilla (1267027 and 1411641) highlight that:

CSP 'sandbox' directive prevents content scripts from matching, due to unique origin

This issue has been acknowledged and will hopefully be fixed in future releases of Firefox.

like image 124
Pyves Avatar answered Sep 28 '22 09:09

Pyves