Skip to content

Fix CSP for element hiding in Firefox #314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 14, 2023
Merged

Fix CSP for element hiding in Firefox #314

merged 1 commit into from
Mar 14, 2023

Conversation

jonathanKingston
Copy link
Contributor

@jonathanKingston jonathanKingston commented Mar 13, 2023
edited
Loading

As reported here: duckduckgo/duckduckgo-privacy-extension#367 (comment) we're getting blocked by page CSP.

This shouldn't happen as we're acting on the users behalf, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1415352#c48

Using a link and data attribute should circumvent the blocking but doesn't prevent the error as mentioned in the Bugzilla issue. (in fact in my testing it now nolonger points to our code so having a useful comment in the code doesn't help us even 😢)

@dharb are you able to test this out in Firefox, perhaps we could create a test page with a CSP like the following:

<html>
    <head>
        <title>Content Security Policy</title>
        <meta http-equiv="Content-Security-Policy" content="script-src 'self' https: http:; object-src 'none'; base-uri 'none'; style-src 'self' ; font-src 'self'">
    </head>
    <body>
        <h1>Boop</h1>
        <iframe id="google_ads_iframe" ></iframe>
        <div id="taboola-sd">sss</div>
        <div class="taboolaHeight">seeeess</div>
    </body>
</html>

@jonathanKingston jonathanKingston requested a review from dharb March 13, 2023 13:03
@jonathanKingston jonathanKingston force-pushed the jkt/fixCSPElementHiding branch from fd00da4 to 40b848f Compare March 13, 2023 13:11
dharb
dharb approved these changes Mar 14, 2023
View reviewed changes
Copy link
Contributor

@dharb dharb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jonathanKingston, this looks good - tested and confirmed in ff + chrome. I'll spin up a test page for this scenario.

@jonathanKingston
Copy link
Contributor Author

Thanks for the extensive testing!

@jonathanKingston jonathanKingston merged commit 87124dc into main Mar 14, 2023
@jonathanKingston jonathanKingston deleted the jkt/fixCSPElementHiding branch March 14, 2023 19:55
@dharb dharb mentioned this pull request May 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dharb dharb dharb approved these changes

@shakyShane shakyShane Awaiting requested review from shakyShane

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jonathanKingston @dharb