Protocol source matches for CSP in extensions not supported

App & System Services General
carlosj OP
Created Dec ’20
Replies 4
Boosts 1
Views 1.4k
Participants 2
When including something like http: or https: in the connect-src and img-src directives of the contentsecuritypolicy of webextensions, they are simply ignored.

Other matches like https://*.example.com/ work as expected.
Answered by Engineer in 656349022
This is expected behavior. Safari doesn't allow a full wildcard in the content security policy string.

If this is breaking your extension, could you please file feedback on https://feedbackassistant.apple.com explaining what your extension is trying to do and why you need these full wildcards?
Replies  4
Boosts  1
Views  1.4k
Participants  2
Engineer OP
Apple
Jan ’21
Accepted Answer
This is expected behavior. Safari doesn't allow a full wildcard in the content security policy string.

If this is breaking your extension, could you please file feedback on https://feedbackassistant.apple.com explaining what your extension is trying to do and why you need these full wildcards?
0
carlosj OP
Jan ’21
To allow developers to enforce a more strict CSP. Basically without wildmark matches I have to leave out the directive completely.

For example, one use case is limiting the set of images an extension is able to load in their own context.

Normally, any image can be loaded within the extension, yet when you set this as CSP:
default-src: none; img-src: https:;

Only images from https can be loaded.

Feedback has been filed, #8968973
0
carlosj OP
Sep ’21

See feedback assistant ticket: https://feedbackassistant.apple.com/feedback/8968973

0
carlosj OP
Sep ’21

Can this post be marked as "not solved". As the issue isn't solved yet.

0
Protocol source matches for CSP in extensions not supported
First post date Last post date
 
 
Q