Title: Safari: YouTube CSP blocks page-world bootstrap scripts, so the extension loads but does not affect the page
Concise Description
On Safari, ImprovedTube can appear installed and enabled, but no YouTube-page functionality initializes. Safari logs a CSP error when the content script tries to inject safari-web-extension://.../js&css/web-accessible/core.js into the page via a <script> tag.
Browser/s
Steps to reproduce - Which of our features is required for the bug to happen?
- Build or install the Safari version of the extension.
- Enable it in Safari.
- Open
https://www.youtube.com/.
- Observe that the extension UI may load, but page features do not apply on YouTube.
- Open the browser console on the YouTube tab.
Since when?
Observed on current Safari local build generated from the current master branch as of April 11, 2026.
Does the bug still happen when you log out of YouTube?
Yes
Are any errors or related log-messages shown in the Browser-Console? (F12)
Yes:
Refused to load safari-web-extension://.../js&css/web-accessible/core.js because it does not appear in the script-src directive of the Content Security Policy.
Expected preferred behavior
Safari should initialize the page-world runtime without relying on DOM <script src="safari-web-extension://..."> injection that is blocked by YouTube's CSP.
ImprovedTube Version
Current repository master at commit 81bf9086ee9aea0ee7ed90eecee6ad541ae28c2e plus local Safari packaging.
OS / Device
macOS
Notes
The current architecture injects the YouTube runtime from js&css/extension/init.js by appending web-accessible scripts into the page. This works in Chromium-based browsers, but Safari appears to enforce YouTube's CSP against those injected safari-web-extension:// script URLs.
A local fix that solved the issue without changing non-Safari behavior was:
- add the
scripting permission to manifest.json
- on Safari only, ask the background script to inject the
web-accessible JS/CSS files with chrome.scripting.executeScript(..., { world: 'MAIN' }) / chrome.scripting.insertCSS(...)
- keep the existing DOM-based injection path for non-Safari environments
If useful, I can open a PR with that isolated change.
Title: Safari: YouTube CSP blocks page-world bootstrap scripts, so the extension loads but does not affect the page
Concise Description
On Safari, ImprovedTube can appear installed and enabled, but no YouTube-page functionality initializes. Safari logs a CSP error when the content script tries to inject
safari-web-extension://.../js&css/web-accessible/core.jsinto the page via a<script>tag.Browser/s
Steps to reproduce - Which of our features is required for the bug to happen?
https://www.youtube.com/.Since when?
Observed on current Safari local build generated from the current
masterbranch as of April 11, 2026.Does the bug still happen when you log out of YouTube?
Yes
Are any errors or related log-messages shown in the Browser-Console? (F12)
Yes:
Refused to load safari-web-extension://.../js&css/web-accessible/core.js because it does not appear in the script-src directive of the Content Security Policy.Expected preferred behavior
Safari should initialize the page-world runtime without relying on DOM
<script src="safari-web-extension://...">injection that is blocked by YouTube's CSP.ImprovedTube Version
Current repository
masterat commit81bf9086ee9aea0ee7ed90eecee6ad541ae28c2eplus local Safari packaging.OS / Device
macOS
Notes
The current architecture injects the YouTube runtime from
js&css/extension/init.jsby appending web-accessible scripts into the page. This works in Chromium-based browsers, but Safari appears to enforce YouTube's CSP against those injectedsafari-web-extension://script URLs.A local fix that solved the issue without changing non-Safari behavior was:
scriptingpermission tomanifest.jsonweb-accessibleJS/CSS files withchrome.scripting.executeScript(..., { world: 'MAIN' })/chrome.scripting.insertCSS(...)If useful, I can open a PR with that isolated change.