I am currently contributing on an extension, and the main problem is that on Firefox, the CSP is being triggered, which causes quite a few issues. Mainly it seems to block the injection of dynamic CSS, which I thought I removed, although it still gets triggered. Just for reference, the website I am targeting is modrinth. This is the repo if you want a full look at the code (it's probably really bad code) blueRinth, however, the main problem I suspect is in my injected.js, where the code is:
document.onreadystatechange = function () {
const projectRegex =
/^https?:\/\/modrinth\.com\/(?:project|mod|resourcepack|shader|datapack|modpack)\/([^\/]+)/;
const projectIdTest = projectRegex.exec(window.location.href);
const projectId =
projectIdTest != null && projectIdTest.length > 1 ? projectIdTest[1] : null;
if (projectId !== null) {
runBanner(projectId);
return;
}
pageSupportsBanners = false;
};
useNuxtApp()._middleware.global.push(function handleRoute(to, from) {
if (to.name.startsWith("type-id")) {
const { id } = to.params;
console.log("entering project", id);
runBanner(id);
} else if (from.name.startsWith("type-id")) {
const { id } = from.params;
//console.log("leaving project", id);
const containers = document.getElementsByClassName("banner-container");
for (let container of containers) {
document.body.removeChild(container);
}
pageSupportsBanners = false;
}
});
let pageSupportsBanners = false;
const fallbackimage =
"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAnSURBVHhe7cEBDQAAAMKg909tDjcgAAAAAAAAAAAAAAAAAAAA4FwNQEAAAQtzTh0AAAAASUVORK5CYII=";
let banner = fallbackimage;
async function runBanner(id) {
console.log("runBanner called with id:", id);
pageSupportsBanners = true;
const apibase = "https://api.modrinth.com/v3/project/";
try {
const response = await fetch(apibase + id);
if (!response.ok) {
console.error("blueRinth: Response failed during banner loading.");
return;
}
const data = await response.json();
console.log("Project API data:", data);
console.log("gallery:", data.gallery);
data.gallery.forEach((entry) => {
if (entry.featured === true) {
banner = entry.url;
applyBanners();
}
});
} catch {
console.error(
"blueRinth: Something failed during banner loading. Please contact WorldWidePixel."
);
}
}
function applyBanners() {
console.log("applyBanners called, banner:", banner);
if (pageSupportsBanners) {
const bannerContainer = document.createElement("div");
const bannerStyles = document.createElement("style");
bannerStyles.innerHTML = `
.banner-image {
background-image:
linear-gradient(0deg, var(--color-bg) 0%, rgba(0, 0, 0, 0) 200%),
url(${banner}) !important;
}
`;
document.head.appendChild(bannerStyles);
bannerContainer.classList.add("banner-container");
const bannerImage = document.createElement("div");
bannerImage.classList.add("banner-image");
bannerContainer.appendChild(bannerImage);
const bannerBg = document.createElement("div");
bannerBg.classList.add("banner-bg");
document.body.appendChild(bannerBg);
document.body.appendChild(bannerContainer);
bannerContainer.style.opacity = "100%";
}
}
Here is the text of the CSP errors i face, I have little idea what they really mean, hence why I'm here:
Content-Security-Policy: (Report-Only policy) The page’s settings would block an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self'”. Consider using a hash ('sha256-JBmyBqGA3TPyBg9fUy2esK5fafHmvdYH2GunnhLcvUw=') or a nonce.
Content-Security-Policy: The page’s settings blocked an inline style (style-src-elem) from being applied because it violates the following directive: “style-src https://m.stripe.network”. Consider using a hash ('sha256-dd4J3UnQShsOmqcYi4vN5BT3mGZB/0fOwBA72rsguKc=', requires 'unsafe-hashes' for style attributes) or a nonce.
I have tried moving all my css to separate files and declaring it in my manifest.json, then in my content.js, switching themes baed on those files, however this does not work. The problem may also arise in my content.js, where the main theme switching is handled.
modrinth.com/mods), only the subframes (js.stripe.comandm.stripe.network) have CSPs, not the top frame. I'm disinclined to debug your code on github, but are you sure you want to inject anything into the subframes?