1

I have a firefox plugin that used to interact with github's web app by injeting some javascript in the page (by creating a element under the head element, and setting its innerHTML value to the javascript to be executed).

However, it just stopped working lately. I then saw the following warning:

Timestamp: 8/21/13 5:45:42 PM
Warning: CSP WARN:  Directive inline script base restriction violated
Source File: https://github.com/login
Line: 0
Source Code:
myjscode();...

Github returns the following header:

X-Content-Security-Policy: default-src *; script-src 'self'   https://github.global.ssl.fastly.net https://jobs.github.com https://ssl.google-analytics.com https://collector.githubapp.com https://analytics.githubapp.com; style-src 'self' 'unsafe-inline' https://github.global.ssl.fastly.net; object-src 'self' https://github.global.ssl.fastly.net

I was aware that Firefox started supporting CSP through the X-Content-Security-Policy header, but I thought some mechanism would be in place to prevent code injection from plugins to brake.

Does anyone know if the extension API has any specific mechanism for injecting javascript in the page in a and bypass the CSP settings? Rationale is - if the user has the plugin installed, he/she trusts it, and there should be a way to bypass CSP.

FullOfCaffeine
  • 539
  • 1
  • 6
  • 22
  • Might not be the answer you're looking for, but you shouldn't be injecting scripts into sites in the first place. There are quite a bunch of other options available, such as frame scripts (message manager), SDK page-mod, custom sandboxes, or even iframes. Or don't run your code within the page context in the first place and instead in the browser. – nmaier Aug 21 '13 at 23:16
  • Hi nmair. Thank you for the comment. Could you be a bit more specific and elaborate on these options? In Chrome, for example, I use chrome.tabs.executeScript, which works great. Is there anything like that for Firefox? Thanks – FullOfCaffeine Aug 22 '13 at 00:03
  • I already gave a list. I cannot be more specific which of those would fit your add-on best without knowing quite a bit more on what you're trying to do exactly. There is a difference between "I want to do something on a click" and "I need to load jquery and so some fancy stuff". – nmaier Aug 22 '13 at 00:08
  • It's a script that interacts with some form elements, like filling up text inputs and clicking buttons. Pretty straightforward stuff. – FullOfCaffeine Aug 22 '13 at 02:24

2 Answers2

1

You can do this in firefox, although not recommended. Open the page, about:config and set security.csp.enable to false (restart may be required).

pratik mankar
  • 126
  • 1
  • 10
0

It's a script that interacts with some form elements, like filling up text inputs and clicking buttons. Pretty straightforward stuff.

I'd look into either SDK page-mod, or for non SDK add-ons just listen to load events and do your manipulations in the event handler using the regular DOM API.

Using the SDK with page-mod is likely the closest thing that resembles chrome.tabs.executeScript and chrome extensions in general, so I'd go with that.

nmaier
  • 32,336
  • 5
  • 63
  • 78