[Webkit-unassigned] [Bug 243349] New: Setting CSP in extension manifest incorrectly blocks image loading

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 29 10:44:51 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=243349

            Bug ID: 243349
           Summary: Setting CSP in extension manifest incorrectly blocks
                    image loading
           Product: WebKit
           Version: Safari 15
          Hardware: Mac (Apple Silicon)
                OS: macOS 12
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mike at michaelflores.io

Created attachment 461298

  --> https://bugs.webkit.org/attachment.cgi?id=461298&action=review

A repro of the issue. Remove the content_security_policy key in manifest.json and observe that images load correctly (the CSP meta tag is set in public/index.html).

In the manifest.json for my Safari Web Extension, I set a CSP like so:
```
  "content_security_policy": {
    "extension_pages": "img-src https://images.unsplash.com data:; script-src 'self'; object-src 'self';"
  },
```

On Chromium browsers, this correctly allows images from Unsplash to load. On Safari, it blocks these images with this error:

```
Refused to load https://images.unsplash.com/photo-1587830290334-020efdcbc345?crop=entropy&cs=tinysrgb&fit=max&fm=webp&ixid=MnwxNzkyODZ8MHwxfGFsbHx8fHx8fHx8fDE2MTczMjkzMDc&ixlib=rb-1.2.1&q=80&w=400 because it does not appear in the img-src directive of the Content Security Policy.
```

If I use the same CSP value and set it via meta tag instead, it correctly allows Unsplash images while correctly blocking images from other domains not of the `data:` scheme. I.e.:

```
    <meta
      http-equiv="Content-Security-Policy"
      content="img-src https://images.unsplash.com data:; script-src 'self'; object-src 'self';"
    />
```

This seems to point to a bug somewhere, as this CSP should result in the same behavior whether set in the manifest or via meta tag I believe.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220729/2bd95a1a/attachment.htm>

More information about the webkit-unassigned mailing list