Manifest V 3 - Inline js on TARGET site click handler is breaking CSP
John Blair
I have a chrome extension that I recently migrated to manifest V3.
My extension bundles all required code, and so has a CSP setting of:
"content_security_policy": { "extension_pages" : "script-src 'self'; object-src 'self'" },The extension is a content script running on a target site that I do not control, and at one point clicks a link on the page. The link has some inline javascript on the href, e.g:
<a href="javascript:__doPostBack('some args')">Link Text</a>My extension locates the link using jquery, and then calls linkElement.click() to trigger the click. When it does this, I get CSP errors saying:
Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' object-src 'self'"
This was NOT a problem on manifest V2, it all worked fine.
This seems wrong to me. The inline code violation is on the target site, not my extension. All the extension is doing is clicking a DOM element.. Surely at that point it should just hand over to the target site to do it's thing.. It doesn't feel right that the target site code can break my extension's CSP policy.
I also posted this to stackoverflow and @w0xx0m provided a helpful reply suggesting to add a script tag to the DOM in the "main world", and also raised https://crbug.com/1299742.
However, if this genuinely is a bug and is something that will be addressed by the Chrome team I'd rather not mess with the main site DOM, so I wanted to raise it here to see if there is a reply from anyone at the Chrome team.
Thanks
John
John Blair
Nirantali Zorvax
document.getElementById('continue_btn').click();