Injecting a stylesheet with use_dynamic_url set can crash some webpages
109 views
Skip to first unread message
Gaurang Tandon
Aug 8, 2025, 8:20:20 AM8/8/25
to Chromium Extensions
Hey all! I ran into a bug with `use_dynamic_url` and wanted to share it with the group to get your thoughts.
If a Chrome extension sets `use_dynamic_url` in `web_accessible_resources` (in manifest.json) and injects a stylesheet, it can crash the host page. We've seen this happen on Google Meet and one other site. There might be more such sites.
Here is the bug report: https://issues.chromium.org/issues/435609878 The bug got closed as "Intended Behavior", which I disagree with. `use_dynamic_url` doesn't document any CSP restrictions. Even then, a webpage crash is an inelegant way to enforce them.
Does anyone have any workarounds or suggestions for this issue?
Cheers,
Gaurang
If a Chrome extension sets `use_dynamic_url` in `web_accessible_resources` (in manifest.json) and injects a stylesheet, it can crash the host page. We've seen this happen on Google Meet and one other site. There might be more such sites.
Here is the bug report: https://issues.chromium.org/issues/435609878 The bug got closed as "Intended Behavior", which I disagree with. `use_dynamic_url` doesn't document any CSP restrictions. Even then, a webpage crash is an inelegant way to enforce them.
Does anyone have any workarounds or suggestions for this issue?
Cheers,
Gaurang
PhistucK
Aug 8, 2025, 9:00:50 AM8/8/25
to Gaurang Tandon, Chromium Extensions
This is insane...
Even doubly insane - extensions are supposed to overcome Content Security Policy restrictions, otherwise they either lose power/become ineffective, or compromise the security/functionality of the website (by disabling the policy altogether, say, or manipulating it in a way that is not guaranteed to be compatible with the website). And a renderer crash as a "by design" behavior of using an extension API... Insane.
☆PhistucK
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/06f1f1cd-dea2-4718-93fc-2cfadbbdc3a2n%40chromium.org.
Oliver Dunk
Aug 27, 2025, 4:54:45 AM8/27/25
to PhistucK, Gaurang Tandon, Chromium Extensions
Just to close the loop here, I do think this is a bug and I reopened the report a week or so back.
I'll keep working with the team to make sure we take a look. Thanks for flagging!
Reply all
Reply to author
Forward
0 new messages