{"id":8775,"date":"2019-12-12T08:41:55","date_gmt":"2019-12-12T16:41:55","guid":{"rendered":"http:\/\/blog.mozilla.org\/addons\/?p=8775"},"modified":"2019-12-12T11:29:23","modified_gmt":"2019-12-12T19:29:23","slug":"test-the-new-csp-for-content-scripts","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/","title":{"rendered":"Test the new Content Security Policy for Content Scripts"},"content":{"rendered":"<p>As part of our efforts to make add-ons safer for users, and to support evolving <a href=\"https:\/\/blog.mozilla.org\/addons\/2019\/09\/03\/mozillas-manifest-v3-faq\/\">manifest v3 <\/a>features, we are making changes to apply the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Add-ons\/WebExtensions\/Content_Security_Policy#Default_content_security_policy\">Content Security Policy<\/a> (CSP) to content scripts used in extensions. These changes will make it easier to enforce our long-standing <a href=\"https:\/\/extensionworkshop.com\/documentation\/publish\/add-on-policies\/\">policy<\/a> of disallowing execution of remote code.<\/p>\n<p>When this feature is completed and enabled, remotely hosted code will not run, and attempts to run them will result in a network error. We have taken our time implementing this change to decrease the likelihood of breaking extensions and to maintain compatibility. Programmatically limiting the execution of remotely hosted code is an important aspect of manifest v3, and we feel it is a good time to move forward with these changes now.<\/p>\n<p>We have landed a new content script CSP, the first part of these changes, behind preferences in Firefox 72. We\u2019d love for developers to test it out to see how their extensions will be affected.<\/p>\n<h2>Testing instructions<\/h2>\n<p>Using a test profile in Firefox Beta or Nightly, please change the following preferences in <code>about:config<\/code>:<\/p>\n<ul>\n<li>Set <code>extensions.content_script_csp.enabled<\/code> to <code>true<\/code><\/li>\n<li>Set <code>extensions.content_script_csp.report_only<\/code> to <code>false<\/code> to enable policy enforcement<\/li>\n<\/ul>\n<p>This will apply the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Add-ons\/WebExtensions\/Content_Security_Policy#Default_content_security_policy\">default CSP<\/a> to the content scripts of all installed extensions in the profile.<\/p>\n<p>Then, update your extension\u2019s manifest to change your content_security_policy. With the new content script CSP, <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Add-ons\/WebExtensions\/manifest.json\/content_scripts\">\u00a0content_scripts<\/a> works the same as <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Add-ons\/WebExtensions\/user_interface\/Extension_pages\">extension_pages<\/a>. This means that the original CSP value moves under the <code>extension_pages<\/code> key and the new <code>content_scripts<\/code> key will control content scripts.<\/p>\n<p>Your CSP will change from something that looks like:<\/p>\n<pre>content_security_policy: \"script-src 'self'; object-src 'none'\"<\/pre>\n<p>To something that looks like:<\/p>\n<pre>content_security_policy: {\r\n\u00a0\u00a0extension_pages: \"script-src 'self'; object-src 'none'\",\r\n\u00a0\u00a0content_scripts: \"script-src 'self'; object-src 'none'\"\r\n}<\/pre>\n<p>Next, load your extension in <code>about:debugging<\/code>. The default CSP now applied to your content scripts will prevent the loading of remote resources, much like what happens when you try to\u00a0 insert an image into a website over http, possibly causing your extension to fail. Similar to the old content_security_policy (as <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Add-ons\/WebExtensions\/manifest.json\/content_security_policy\">documented<\/a> on MDN), you may make changes using the content_scripts key.<\/p>\n<p>Please do not loosen the CSP to allow remote code, as we are working on upcoming changes to <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1594234\">disallow remote scripts<\/a>.<\/p>\n<p>As a note, we don&#8217;t currently support any other keys in the <code>content_security_policy<\/code> object. We plan to be as compatible as possible with Chrome in this area will support the same key name they use for content_scripts in the future.<\/p>\n<p>Please tell us about your testing experience on our <a href=\"https:\/\/discourse.mozilla.org\/t\/blog-post-test-the-new-content-security-policy-for-content-scripts\/50245\">community forums<\/a>. If you think you\u2019ve found a bug, please let us know on <a href=\"https:\/\/bugzilla.mozilla.org\/enter_bug.cgi?product=WebExtensions\">Bugzilla<\/a>.<\/p>\n<h2>Implementation timeline<\/h2>\n<p>More changes to the CSP for extensions are expected to land behind preferences in the upcoming weeks. We will publish testing instructions once those updates are ready. The full set of changes should be finished and enabled by default in 2020, meaning that you will be able to use the new format without toggling any preferences in Firefox.<\/p>\n<p>Even after the new CSP is turned on by default, <b>extensions using manifest v2 will be able to continue using the string form of the CSP. <\/b>The object format will only be required for extensions that use manifest v3 (which is not yet supported in Firefox).<\/p>\n<p>There will be a transition period when Firefox supports both manifest v2 and manifest v3 so that developers have time to update their extensions. Stay tuned for updates about timing!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As part of our efforts to make add-ons safer for users, and to support evolving manifest v3 features, we are making changes to apply the Content Security Policy (CSP) to &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/\">Read more<\/a><\/p>\n","protected":false},"author":333,"featured_media":8771,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[388,44,278886],"tags":[322922],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Test the new Content Security Policy for Content Scripts - Mozilla Add-ons Community Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Philipp Kewisch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/\",\"url\":\"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/\",\"name\":\"Test the new Content Security Policy for Content Scripts - Mozilla Add-ons Community Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/addons\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/addons\/files\/2019\/12\/Firefox-parent-brand-logo.png\",\"datePublished\":\"2019-12-12T16:41:55+00:00\",\"dateModified\":\"2019-12-12T19:29:23+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/86ecef4a5de728e6d3ffe72a25077a94\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/addons\/files\/2019\/12\/Firefox-parent-brand-logo.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/addons\/files\/2019\/12\/Firefox-parent-brand-logo.png\",\"width\":1856,\"height\":1831},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/addons\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Test the new Content Security Policy for Content Scripts\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/addons\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/addons\/\",\"name\":\"Mozilla Add-ons Community Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/addons\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/86ecef4a5de728e6d3ffe72a25077a94\",\"name\":\"Philipp Kewisch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c2d92d64a4b77306c45df1c9be647621?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c2d92d64a4b77306c45df1c9be647621?s=96&d=mm&r=g\",\"caption\":\"Philipp Kewisch\"},\"description\":\"Twitter: @pkewisch\",\"sameAs\":[\"https:\/\/twitter.com\/pkewisch\",\"https:\/\/x.com\/pkewisch\"],\"url\":\"https:\/\/blog.mozilla.org\/addons\/author\/calendar\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Test the new Content Security Policy for Content Scripts - Mozilla Add-ons Community Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/","twitter_misc":{"Written by":"Philipp Kewisch","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/","url":"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/","name":"Test the new Content Security Policy for Content Scripts - Mozilla Add-ons Community Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/addons\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/addons\/files\/2019\/12\/Firefox-parent-brand-logo.png","datePublished":"2019-12-12T16:41:55+00:00","dateModified":"2019-12-12T19:29:23+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/86ecef4a5de728e6d3ffe72a25077a94"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/#primaryimage","url":"https:\/\/blog.mozilla.org\/addons\/files\/2019\/12\/Firefox-parent-brand-logo.png","contentUrl":"https:\/\/blog.mozilla.org\/addons\/files\/2019\/12\/Firefox-parent-brand-logo.png","width":1856,"height":1831},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/addons\/2019\/12\/12\/test-the-new-csp-for-content-scripts\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/addons\/"},{"@type":"ListItem","position":2,"name":"Test the new Content Security Policy for Content Scripts"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/addons\/#website","url":"https:\/\/blog.mozilla.org\/addons\/","name":"Mozilla Add-ons Community Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/addons\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/86ecef4a5de728e6d3ffe72a25077a94","name":"Philipp Kewisch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/c2d92d64a4b77306c45df1c9be647621?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c2d92d64a4b77306c45df1c9be647621?s=96&d=mm&r=g","caption":"Philipp Kewisch"},"description":"Twitter: @pkewisch","sameAs":["https:\/\/twitter.com\/pkewisch","https:\/\/x.com\/pkewisch"],"url":"https:\/\/blog.mozilla.org\/addons\/author\/calendar\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/posts\/8775"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/users\/333"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/comments?post=8775"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/posts\/8775\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/media\/8771"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/media?parent=8775"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/categories?post=8775"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/tags?post=8775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}