0

I have a chrome extension that I recently migrated to manifest V3.

My extension bundles all required code, and so has a CSP setting of:

"content_security_policy": {
    "extension_pages" : "script-src 'self'; object-src 'self'"
  },

The extension is a content script running on a target site that I do not control, and at one point clicks a link on the page. The link has some inline javascript on the href, e.g:

<a href="javascript:__doPostBack('some args')">Link Text</a>

My extension locates the link using jquery, and then calls linkElement.click() to trigger the click. When it does this, I get CSP errors saying:

Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' object-src 'self'"

This was NOT a problem on manifest V2, it all worked fine.

This seems wrong to me. The inline code violation is on the target site, not my extension. All the extension is doing is clicking a DOM element.. Surely at that point it should just hand over to the target site to do it's thing.. It doesn't feel right that the target site code can break my extension's CSP policy.

Can anyone help?

Thanks

John

John
  • 121
  • 1
  • 6
  • This is yet another bug in the infamous ManifestV3. Try element.dispatchEvent(new PointerEvent('click', {bubbles: true})) – wOxxOm Feb 22 '22 at 09:38
  • @wOxxOm thanks for the suggestion but I tried that already.. same error. – John Feb 22 '22 at 11:16
  • It's a [bug in ManifestV3](https://crbug.com/1299742). Until it's fixed the workaround is to do the click in [page context](/a/9517879) (method 1). – wOxxOm Feb 22 '22 at 11:54
  • Thanks for the additional info. If this *is* a bug rather than intended behaviour, I'm reluctant to mess too much with the page itself at the moment. I think I'll keep an eye on the bug for now and see if it gets fixed. – John Feb 22 '22 at 14:52

0 Answers0