metamask-extension icon indicating copy to clipboard operation
metamask-extension copied to clipboard

Published 20 hours ago verified publisher icon MetaMask

fix: mv2 firefox csp header

Open itsyoboieltr opened this issue 1 year ago • 2 comments

Description

Open in GitHub Codespaces

This PR implements a workaround for a long-standing Firefox MV2 bug where the content-security-policy header is not bypassed, triggering an error.

The solution is simple: we check if the extension is MV2 running in Firefox. If yes, we override the header to prevent the error from raising.

Related issues

Fixes: https://github.com/MetaMask/metamask-extension/issues/3133, https://github.com/MetaMask/MetaMask-planning/issues/3342

Manual testing steps

  1. Opening github.com should not trigger the CSP error

Screenshots/Recordings

Before

reprod

After

fixed

Pre-merge author checklist

Pre-merge reviewer checklist

  • [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

itsyoboieltr avatar Oct 10 '24 17:10 itsyoboieltr

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

github-actions[bot] avatar Oct 10 '24 17:10 github-actions[bot]

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot
18.8% Coverage on New Code (required ≥ 80%)

See analysis details on SonarCloud

sonarqubecloud[bot] avatar Oct 15 '24 18:10 sonarqubecloud[bot]

Builds ready [ce4709f]
Page Load Metrics (2113 ± 116 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint38928561874648311
domContentLoaded180227402071229110
load180828462113241116
domInteractive29144552512
backgroundConnect1097432713
firstReactRender54130922211
getState875222210
initialActions01000
loadScripts128522231544221106
setupStore1276332110
uiStartup202530942329249120
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 1.16 KiB (0.03%)
  • ui: 0 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Oct 25 '24 20:10 metamaskbot

Builds ready [5483bd8]
Page Load Metrics (2086 ± 184 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint33634622000541260
domContentLoaded171033702040370178
load171934592086383184
domInteractive168844199
backgroundConnect1197442512
firstReactRender494161339144
getState56421209
initialActions01000
loadScripts120528401520344165
setupStore11102352813
uiStartup191837192371463222
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 2.56 KiB (0.06%)
  • ui: 0 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Oct 25 '24 21:10 metamaskbot

Builds ready [73a22d3]
Page Load Metrics (2099 ± 212 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint28938822013579278
domContentLoaded180837732053408196
load181339622099441212
domInteractive199941178
backgroundConnect9110472914
firstReactRender582921205426
getState495232613
initialActions01000
loadScripts130927681499302145
setupStore11108343215
uiStartup202844842355515247
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 2.63 KiB (0.06%)
  • ui: 0 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Oct 30 '24 20:10 metamaskbot

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@types/[email protected] None 0 10.6 kB types

View full report↗︎

socket-security[bot] avatar Oct 31 '24 15:10 socket-security[bot]

Builds ready [49b6924]
Page Load Metrics (1987 ± 60 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint28822081806520250
domContentLoaded17422129194911656
load17882192198712660
domInteractive1983442010
backgroundConnect8105322914
firstReactRender832041183316
getState45821209
initialActions01000
loadScripts12421622142511656
setupStore126924189
uiStartup19772580223816881
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 2.56 KiB (0.06%)
  • ui: 0 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Oct 31 '24 16:10 metamaskbot

Builds ready [31c2349]
Page Load Metrics (2220 ± 107 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint32027732137467224
domContentLoaded19082734217020498
load191327792220223107
domInteractive19132532813
backgroundConnect8237384923
firstReactRender792231293517
getState866312311
initialActions01000
loadScripts13452205158919895
setupStore1389272311
uiStartup217430112498224108
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 2.56 KiB (0.06%)
  • ui: 0 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Oct 31 '24 18:10 metamaskbot

Builds ready [cec02cb]
Page Load Metrics (2095 ± 90 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint30924752030432207
domContentLoaded17542464206817785
load17632477209518890
domInteractive229045199
backgroundConnect9153283316
firstReactRender532891276431
getState56619188
initialActions01000
loadScripts12301777151013967
setupStore1485442411
uiStartup203628622422242116
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 3 KiB (0.07%)
  • ui: 2.03 KiB (0.03%)
  • common: 604 Bytes (0.01%)

metamaskbot avatar Nov 06 '24 22:11 metamaskbot

@danjm I manually tested it today with a prod-like build using the command:

yarn webpack --env production --no-lavamoat --browser firefox

it worked for me locally.

itsyoboieltr avatar Nov 06 '24 22:11 itsyoboieltr

Hey @itsyoboieltr I used the build from bot above and tested locally the zip in firefox. I noticed that in firefox page we won't receive any errors, while in extension log we still have it, is this expected? 截屏2024-11-07 11 26 46

截屏2024-11-07 11 28 25

DDDDDanica avatar Nov 07 '24 11:11 DDDDDanica

Hi @DDDDDanica, thank you for checking out and testing the PR! The error logs in the extension are unrelated to the issue. This PR is about fixing the CSP error messages for websites (not the extension itself). The screenshot you sent seems to be showing a pre-existing error. I could reproduce the same error messages in the console by running the current build from develop.

itsyoboieltr avatar Nov 07 '24 14:11 itsyoboieltr

@itsyoboieltr thanks for the explanation, just to make sure it is not related, approve now !

DDDDDanica avatar Nov 07 '24 15:11 DDDDDanica