On 6/5/14, 11:39 AM, Matthew Gertner wrote:
Our extension injects styles into webpages via a protocol defined using our own protocol
handler using <link rel="stylesheet">. We have our own nsIContentPolicy which
we use to enforce which resources from this protocol can be injected into content pages.
The problem is that on sites the enforce their own CSP, the resources may not
be loaded. For example, github.com has script-src set to 'self' so it won't
load stylesheets via our protocol. Is there any way to designate a protocol as
privileged so that it overrides the CSP? From looking at the source code it
seems like certain protocols (about, chrome, resource) are hardcoded to
override the CSP but I couldn't see a way to define other privileged protocols.
The CSP implementation should be using protocol flags here instead of
hardcoding (and if it's not, bugs should be filed). And then your
protocol can set the relevant flags.
-Boris
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
