(moved to an answer)
Post
Replies
Boosts
Views
Activity
There appears to be a difference with regards to injecting <script> elements.
In order to force Google docs to show its annotated canvas, Google recommends extensions use code such as the following in their content script:
const scriptElem = document.createElement('script');
scriptElem.textContent = "(function() { window['_docs_annotate_canvas_by_ext'] = '<extension id>'; })();";
(document.head || document.documentElement).appendChild(scriptElem);
scriptElem.remove();
This works as expected on Chrome and Firefox but on Safari it produces:
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
For what it's worth, unsafe-inline does appear in the host page's CSP (i.e. that of docs.google.com) and adding the script's hash to a content_security_policy member of the extension's manifest does not appear to help either.
I believe this affects all Safari extensions. It is affecting mine and it also appears to be affecting this extension here: https://github.com/adobe/helix-sidekick-extension/issues/721