Adding a CSP to a Firefox extension's own HTML page

Question

I have a Firefox extension displaying its own HTML page via a chrome:// url, and scripts in it are running with chrome privileges. For users' security, I want to add a Content Security Policy to this page.

The obvious thing to do is to add it via <meta> tag, but that's not yet supported in Firefox (bug 663570). Update: Bug 663570 was fixed in Firefox 45, but my attempts to use a tag caused Firefox to crash. Bug 923902 seems to be the new bug to watch.

Is there any way to implement a CSP right now? Some way to fake the appropriate HTTP header for a chrome:// URL?

There was a user who worked on CSP stuff he was just on irc, ill mention to him you may be in same boat. — Noitidart, Aug 02 '15 at 19:00
His user name is pastly I cant catch him right now but ill catch him soon — Noitidart, Aug 02 '15 at 19:19

score 0 · Accepted Answer · answered Jan 18 '23 at 08:36

0

I asked this question waaay back in the days of XUL add-ons, which are long gone - in this era of WebExtensions, I could define a CSP in manifest.json, although the default CSP is plenty secure.

answered Jan 18 '23 at 08:36

Pixievolt No. 1

780
4
15

Adding a CSP to a Firefox extension's own HTML page

1 Answers1