inline violated CSP script-src

[rmk92]

Describe Your Environment

• Version of ZoneMinder [release version, development version, or commit]
  1.36.3
  (Unable to use 1.36.5 due to bug Capture daemon being restarted by zmwatch #3271)

• How you installed ZoneMinder [e.g. PPA, RPMFusion, from-source, etc]
  From github Source + Debian buster .dsc and debian tarball on zmrepo

• Full name and version of OS
  Linux 5.13 aarch64
  Debian Buster apache

• Browser name and version (if this is an issue with the web interface)
  Frefox 91.0.2

Describe the bug
CSP errors being logged

To Reproduce
Steps to reproduce the behavior:

1. Have console open with several monitors
2. See error

Expected behavior
CSP not violated

Debug Logs

08/26/21 11:26:58.560391 web_js[12174].ERR [xxyyzz] [inline%20violated%20CSP%20script-src] at moz-extension line 46
08/26/21 11:27:07.952926 web_js[5138].ERR [xxyyzz] [inline%20violated%20CSP%20script-src] at moz-extension line 46
08/26/21 11:27:22.323030 web_js[14216].ERR [xxyyzz] [inline%20violated%20CSP%20script-src] at moz-extension line 46

[connortechnology]

I believe this is not actually a zoneminder problem, but is caused by an extension. In my case the Plasma Integration causes it.
Disabled all extensions and reload and I think you'll find that there isn't a CSP violation. Re-enable extensions one by one until you find out which one causes it.

[rmk92]

Okay, I now know which extension causes it, and it's one that I use heavily... so what are the options? The only way to stop zoneminder logging errors is to completely disable that extension, which isn't a workable solution for me.

Can zoneminder just not log moz-extension CSP errors, so that then I don't have to set the logging level to "fatal" to prevent excess noise in the ZM logs? I've hacked the ZM javascript to do this, so it is possible, so the question is more whether it's desirable?

Thanks.

[connortechnology]

I think that's what we need to do. Have a config option to turn off CSP reporting. Should be easy.

Out of curiosity, which extension causes it for you?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[ProjectPatatoe]

I found two extensions that cause it for me

• https://addons.mozilla.org/en-US/firefox/addon/darkreader/ (if i have darkmode enabled via the extension)
• https://addons.mozilla.org/en-US/firefox/addon/plasma-integration/

[bceylon]

I'm seeing similar errors with Safari on Mac when Evernote browser Extension is in use (ZM v1.36.24):

8/28/22, 1:10:03 PM GMT+3 web_js 125661 ERR blob violated CSP worker-src safari-extension://D0C6F07F-96C9-49A9-BDB5-85170789FA65/commons.js 2
8/28/22, 1:10:03 PM GMT+3 web_js 115197 ERR Script error. ?view=log -
8/28/22, 1:10:01 PM GMT+3 web_js 115197 ERR blob violated CSP worker-src safari-extension://D0C6F07F-96C9-49A9-BDB5-85170789FA65/commons.js 2
8/28/22, 1:10:01 PM GMT+3 web_js 115197 ERR Script error. ?view=console -