Content scripts policy violated for hrefs with javascript:fn in manifest v3

[Vinod Kumar]

Hi,

 We have an existing code to do click action by creating a mouse event and dispatching it

Example:-

var e = document.createEvent('MouseEvents');

            e.initEvent("click", true, true);

            anchorElement.dispatchEvent(e);

This logic is failing in manifest v3 when the anchorElement is having href="javascript:somefn()"

Error -

"Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' http://localhost:* http://127.0.0.1:* chrome-extension://a73b45f5-7ff8-4128-aab0-c4fa855a9faa/". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present."

Content Script Policy:-

"content_security_policy": {

    "extension_pages": "script-src 'self'; object-src 'self'"

   },

Could you please help?

[woxxom]

It's a known bug, which I re-reported several years ago in https://crbug.com/40215987.

One known workaround is to click() in the main world of the page as shown in https://stackoverflow.com/a/9517879. This is pretty convoluted right now as ManifestV3 doesn't yet have a way to run code in the main world directly from a content script in the default (isolated) world.

Since this is still not fixed, I wonder if it's even fixable or this is yet another inherently broken aspect of ManifestV3? There's a quite a few of such abandoned regressions introduced in ManifestV3 that aren't even tracked via the built-in mechanism of the bug tracker in order to ensure that ManifestV2 is not removed/disabled until all of these are fixed.

[Vinod Kumar]

Thank you.