openstyles
Firefox: CSP issue on pages with `sandbox` directive
- Browser: Firefox 64 and 66
- Operating System: all
- Stylus Version: 1.5.2
Trying to style a non-HMTL page like https://raw.githubusercontent.com/openstyles/stylus/master/.gitignore (notice that no Content-Type header is sent by the server) with a style such as
@-moz-document domain("raw.githubusercontent.com") {
body { background: #181818 ! important; color: #ccc !important}
}
Stylus's content script does not seem to execute. The console shows a seemingly unrelated message
Content Security Policy: The page’s settings blocked the loading of a resource at https://raw.githubusercontent.com/favicon.ico (“default-src”).
When I disable security.csp.enable in about:config, the style works as expected. I also attempted to see if ViolentMonkey's new @inject-into content option has any impact on this, but it appears it is not the case. I was not able to execute a content script on such a page.
I wonder if this is a Firefox bug or if there might be a issue in how Stylus injects its script into a page like this. The issue is not present on Chrome where it works with CSP enabled.
Probably related to https://github.com/openstyles/stylus/issues/618#issuecomment-449589223
Indeed, I see a Could not communicate with the page. Try reloading the tab. when clicking the stylus icon, also just checked on Firefox Nightly 66, it's also affected.
https://bugzilla.mozilla.org/show_bug.cgi?id=1411641
I think this is unfixable. It affects content scripts including scripts defined in the manifest, injected through tabs.executeScripts, or contentScripts.register.
I guess there must be some kind of workaround. Violentmonkey for example detects the .user.js on the raw url linked in that bug, so is able to execute something at least.
Extensions can open the installation dialog when visiting the page, but not injecting scripts into it.