New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removal of support for the object-src directive #17901
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The note was wrong; Firefox didn't stop supporting it, it just stopped requiring unnecessary boilerplate.
Note that Safari doesn't require it either.
So you can also add a note to Chrome (mirrored to Edge and Opera) that they still require object-src to be specified, with a link to the crbug that I shared on Bugzilla.
@@ -6,25 +6,31 @@ | |||
"mdn_url": "https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy", | |||
"support": { | |||
"chrome": { | |||
"version_added": true | |||
"version_added": true, | |||
"notes": "The <code>object-src</code> directive is required." | |||
}, | |||
"edge": { | |||
"version_added": "14", | |||
"notes": "Only the default content security policy is supported: \"script-src 'self'; object-src 'self';\"." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Edge 79+ is based on chromium and mirrors the same behavior.
Summary
Adds a note to provide documentation for Bug 1766881 Remove object-src requirement from the extension CSP, at least in MV3
Related issues
Related changes to the release notes to be completed.