Opened on 10/27/2017 at 11:37:41 AM

Closed on 11/28/2017 at 10:08:59 AM

Last modified on 12/12/2017 at 08:38:03 AM

#5953 closed defect (fixed)

CSP in Firefox blocks our script injection

Reported by: tschuster Assignee: tschuster
Priority: P3 Milestone: Adblock-Plus-3.0.2-for-Firefox
Module: Platform Keywords:
Cc: mjethani Blocked By:
Blocking: Platform: Firefox
Ready: yes Confidential: no
Tester: Ross Verified working: yes
Review URL(s):

Description (last modified by trev)

Firefox WebExtensions don't overwrite a site's CSP when creating a script and assigning to textContent instead of src. (We do this here:

I am going to submit a patch later, which is basically the same as this one I contributed to ViolentMonkey:

The relevant Firefox bug:

What to test

This issue affects WebRTC blocking on websites that have a CSP disallowing inline scripts (e.g. Content-Security-Policy: script-src 'self' or any other policy without 'unsafe-eval').

Note that the fix only works for Firefox 58 and above, not older versions of Firefox.

Attachments (0)

Change History (18)

comment:1 Changed on 10/27/2017 at 11:38:07 AM by tschuster

  • Description modified (diff)

comment:2 Changed on 10/27/2017 at 03:58:30 PM by tschuster

  • Review URL(s) modified (diff)

comment:3 Changed on 10/27/2017 at 04:02:00 PM by tschuster

This way of injecting the script seems a bit more error prone compared to just setting textContent, so maybe we should only do this in Firefox?

comment:4 Changed on 10/27/2017 at 04:30:18 PM by mjethani

Are you sure that this is needed?

We don't do script injection on Firefox; instead we use tabs.insertCSS. This is unlikely to change even in the future.

comment:5 Changed on 10/27/2017 at 04:30:29 PM by mjethani

  • Cc mjethani added

comment:6 Changed on 10/27/2017 at 04:48:57 PM by tschuster

Weird, this code definitely seems to run for me. When using the latest build from, I get this error on (for example) github:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: (function injected(eventName, injectedIn....

comment:7 Changed on 10/27/2017 at 04:51:38 PM by mjethani

My bad! I momentarily confused script injection with style injection. Yes, we do run this for the wrappers.

comment:8 Changed on 11/23/2017 at 02:48:15 PM by abpbot

A commit referencing this issue has landed:
Issue 5953 - Bypass site CSP for script injection in Firefox

comment:9 Changed on 11/23/2017 at 02:49:12 PM by kzar

  • Milestone changed from Adblock-Plus-3.0-for-Chrome-Opera-Firefox to Adblock-Plus-for-Chrome-Opera-Firefox-next

comment:10 Changed on 11/28/2017 at 10:00:28 AM by Ross

Just double checking: Testing for this should be checking that scripts are still injected/function on sites using a CSP?

comment:11 Changed on 11/28/2017 at 10:08:59 AM by trev

  • Resolution set to fixed
  • Status changed from new to closed

comment:12 Changed on 11/28/2017 at 10:15:14 AM by trev

  • Component changed from Unknown to Platform
  • Description modified (diff)
  • Priority changed from Unknown to P3
  • Ready set

comment:13 Changed on 11/28/2017 at 11:39:10 AM by trev

  • Description modified (diff)

comment:14 Changed on 11/28/2017 at 04:27:27 PM by tschuster

To provide a bit better information on this. This change landed only in Firefox 58 (beta at the moment). The actually relevant bug is, which is a dependency of the bug I posted initially.

comment:15 follow-up: Changed on 12/05/2017 at 10:15:53 AM by Ross

After reading through the mozilla tickets, I'm unsure what to test for this ticket. That WebRTC works fine in Firefox 58+? And/or the github related error in comment 6?

comment:16 in reply to: ↑ 15 Changed on 12/11/2017 at 11:22:14 AM by kzar

Replying to Ross:

After reading through the mozilla tickets, I'm unsure what to test for this ticket. That WebRTC works fine in Firefox 58+? And/or the github related error in comment 6?

As discussed in IRC I've had a go at making a test page for you, browse to and then click the link to the #5953 test page. It should attempt to open a WebRTC connection to a non existing WebRTC server, but there should be an extremely restrictive Content Security Policy which blocks most other scripts (including the others in the page which attempt to open WebSocket connections).

comment:17 Changed on 12/11/2017 at 04:22:14 PM by kzar

  • Owner set to tschuster

comment:18 Changed on 12/12/2017 at 08:38:03 AM by Ross

  • Tester changed from Unknown to Ross
  • Verified working set

Done. Using kzar's CSP test page I could block the WebRTC connection the page was attempting to make.

Firefox 58 / Windows 7

Add Comment

Modify Ticket

Change Properties
as closed .
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from tschuster.
Note: See TracTickets for help on using tickets.