Extension in a default-src 'self' CSP environment causes page load to fail

[robinwhittleton]

Intended outcome:

Load a page with a CSP of default-src 'self'; (in this case https://standardebooks.org/). The page is expected to load and render regardless of the CSP settings.

Actual outcome:

Blank screen, and CSP errors in the console. This was originally reported at standardebooks/web#397.

How to reproduce the issue:

Visit https://standardebooks.org/, observe blank page, observe errors in the console.

Desktop (please complete the following information):

• OS: [e.g. iOS] macOS 14.6.1
• Browser [e.g. chrome, safari] Firefox
• Browser version [e.g. 22] I tested in Nightly
• Extension version [e.g. 3.0] 4.18.6

[phryneas]

That is curious - a CSP blocking JS execution should to my knowledge just not execute that JS (and issue a warning) - but never crassh the whole page.

I'll investigate.

[phryneas]

Note: this only seems to happen in Firefox, not in Chrome.

[phryneas]

Irritatingly, if I build the extension locally, it neither crashes Firefox nor Chrome.

[phryneas]

While I can't find a way to really prevent this, the same is happening with the Redux DevTools and the React DevTools.

I can't really imagine that this has gone unnoticed for so long... maybe it's a regression in Firefox itself?

As I already said, I would expect FF to just continue going after a warning, not crash the whole page 🤔

[phryneas]

I had a chat with the maintainer of the Redux Devtools about this, this could be the way to go @jerelmiller