2

As in case of Google Chrome browser Google Chrome CSP There are whitelisting of origins -

Currently, we allow whitelisting origins with the following schemes: blob, filesystem, https, chrome-extension, and chrome-extension-resource.

Is there any listing of such origins for Firefox. We are trying to write an add on for Firefox which will need to load as an iframe.

I currently get following CSP error when I am trying to load a frame.html read from my addon XPI resources. Its a frame which then loads the actual frame.

Content Security Policy: The page's settings blocked the loading of a resource at data:text/html;

iframe with chrome-extensions:// as the path works for Chrome browser nothing like that is available for Firefox. (atleast I am unable to trace such a thing)

Please give us some suggestion if we can do a path to get iframe extension working.

erikvold
  • 15,988
  • 11
  • 54
  • 98
sudhanshu
  • 462
  • 5
  • 17
  • resource:// urls don't load onto iframe and no CSP error gets shown up. There was recommendation that use data.load("simpleframe.html") and then set location of iframe with schema data: but there are pages with CSP to block that. Is the only way is to go back to XUL ? – sudhanshu Jan 21 '15 at 02:51

1 Answers1

0

On Firefox data:, blob: and filesystem: are subject to CSP. Use chrome: or resource: instead.

update:

Apparently this approach will not work with the Add-on SDK, probably due to sandbox restrictions.

paa
  • 5,048
  • 1
  • 18
  • 22
  • If we give resource:////data/frame.html it does not load inside the iframe. This path loads on a tab independently. And when it does not load it does not even throw CSP error. – sudhanshu Jan 20 '15 at 14:28
  • I am using addon sdk not xul to package the extension – sudhanshu Jan 20 '15 at 14:30
  • I found http://stackoverflow.com/questions/21082162/firefox-addon-sdk-loading-addon-file-into-iframe?rq=1 which says there is an issue with resource but my target webpage has CSP enabled which blocks data:// so I am stuck. – sudhanshu Jan 20 '15 at 18:09