Firefox, WebExtensions, and Content Security Policies
Today, Grant Taylor left some comments on entries here (eg yesterday's). As I often do for people who leave comments here who include their home page, I went and visited Taylor's home page in my usual Firefox browser, then when I was done I made my usual and automatic Foxygestures gesture to close the page. Except that this time, nothing happened (well, Firefox's right mouse button popup menu eventually came up when I released the mouse button).
(For instance, WebExtensions are not allowed to inject code into some web pages or otherwise touch them.)
It's definitely clear that Foxygestures not working on Taylor's
site is because of the site's Content Security Policy headers (I
can make it work and not work by toggling
but it's not clear why. Foxygestures is at least partly using content
scripts, which are supposed to not be subject to this issue if I'm
reading the Firefox bug correctly, but perhaps there's something
peculiar going on in what Foxygestures does in them. Firefox objects
to one part of the current Content-Security-Policy header, which
perhaps switches it to some extra-paranoid mode.
(I filed Foxygestures issue 283, if only so perhaps similar cases in the future have something to search for. There is Foxygestures issue 230, but in that the gestures still worked, the UI just had limitations.)
PS: This is where I wish for a Firefox addon that allows me to set or modify the CSP of web page(s) for debugging purposes, which I believe is at least possible in the WebExtensions API. Laboratory will do part of this but it doesn't seem to start from any existing site CSP, so the 'modifying' bit of my desires is at least awkward. mHeaderControl would let me block the CSPs of selected sites, at least in theory (I haven't tried it). It's a little bit surprising to me that you don't seem to be able to do this from within the Firefox developer tools, but perhaps the Firefox people thought this was a little bit too dangerous to provide.