Protocol source matches for CSP in extensions not supported

Question

When including something like http: or https: in the connect-src and img-src directives of the contentsecuritypolicy of webextensions, they are simply ignored.

Other matches like https://*.example.com/ work as expected.

1.4k

Posted by

carlosj

Reply

Add a Comment

Answer 1

This is expected behavior. Safari doesn't allow a full wildcard in the content security policy string.

If this is breaking your extension, could you please file feedback on https://feedbackassistant.apple.com explaining what your extension is trying to do and why you need these full wildcards?

Posted by

bweinstein

Add a Comment

Answer 2

This is expected behavior. Safari doesn't allow a full wildcard in the content security policy string.

If this is breaking your extension, could you please file feedback on https://feedbackassistant.apple.com explaining what your extension is trying to do and why you need these full wildcards?

Posted by

bweinstein

Add a Comment

Answer 3

To allow developers to enforce a more strict CSP. Basically without wildmark matches I have to leave out the directive completely.

For example, one use case is limiting the set of images an extension is able to load in their own context.

Normally, any image can be loaded within the extension, yet when you set this as CSP:
default-src: none; img-src: https:;

Only images from https can be loaded.

Feedback has been filed, #8968973

Posted by

carlosj

Add a Comment

Answer 4

See feedback assistant ticket: https://feedbackassistant.apple.com/feedback/8968973

Posted by

carlosj

Add a Comment

Answer 5

Can this post be marked as "not solved". As the issue isn't solved yet.

Posted by

carlosj

Add a Comment

Protocol source matches for CSP in extensions not supported

Accepted Reply

Replies