Extension violates Content-Security-Policy
See original GitHub issueDescription
When the extension blocks things such as Google Analytics, if the site in question has a Content-Security-Policy then the code that the extension inserts violates the policy, causing false reports of policy violations.
Steps to Reproduce
Using Chrome, go to the example page I have made at https://unequivocal.eu/duckduckgo-issue.html (or presumably any page which uses Google Analytics and has a Content-Security-Policy with a report-uri).
Expected behavior:
The analytics would be blocked without generating policy violations.
Actual behavior:
Observe in the network tab that Chrome generates a false report. From the console it can be seen that this is because the extension is trying to insert a script with src=data:...
. Obviously as well as the false report, whatever it is that that script is supposed to be doing will not happen.
Versions
- Extension: 2019.3.6
- Browser: Chrome 73
- OS: Windows 10
Issue Analytics
- State:
- Created 5 years ago
- Reactions:2
- Comments:5 (2 by maintainers)
Top GitHub Comments
@jdorweiler This also popped up on my page. I decided to look a bit into where it was coming from. This is what I found out, let me know if this sounds correct… Here’s my thought process behind this:
google-analytics.com/ga.js
, which is the first one in the surrogate’s list.data:
needs to be whitelisted in the page’s CSP if the background scripts were to load itThis was resolved with a recent update of the extension so there are no longer CSP issues from this feature. We do still trigger some CSP issues in Firefox however this is to be resolved soon also.