https://bugs.kde.org/show_bug.cgi?id=395531
Bug ID: 395531
Summary: Plasma Integration extension injects scripts into
pages where it’s disallowed by Content Security Policy
and clutters CSP violation reports
Product: plasma-browser-integration
Version: unspecified
Platform: Other
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: general
Assignee: k...@privat.broulik.de
Reporter: vil...@posteo.net
Target Milestone: ---
Plasma Integration extension injects its own scripts into pages where inline
scripts are disallowed by Content Security Policy, which promptly get blocked
by a browser, and then in pages where 'report-uri' directive is present browser
sends two reports for every page, which causes the server-side reports log to
be cluttered with violation reports caused by the extension.
Steps to Reproduce:
1) Install Plasma Integration extension.
2) Go to page where Content Security Policy does not allow inline scripts, e.g.
https://wandystan.eu/w/.
3) Open browser console.
Actual Results:
There are two errors like this:
> Content Security Policy: Ustawienia strony zablokowały wczytanie zasobu
> „self” („script-src https://wandystan.eu”). Source: ( function() {
> f4207....
> Content Security Policy: Ustawienia strony zablokowały wczytanie zasobu
> „self” („script-src https://wandystan.eu”). Source: (function() {
> var oldCreateE....
And two requests to report URI such as
https://wandystan.eu/varia/csp_report.php are sent.
Expected Results:
There are no errors and no violation is reported.
--
You are receiving this mail because:
You are watching all bug changes.
