[2.12.8 RC1] Security errors when requesting binary data with GM_xhr

[ghost]

EDIT: further testing led me to narrow it down to Firefox's privacy.firstparty.isolate setting.

I've been periodically testing master branch for compatibility/improvements/etc. and an important function of my scripts stopped working in the latest master/RC.

With 2.12.8 RC1, I am unable to run my userscript to download all images as a zip. Here is a simplified test script which works fine in 2.12.7 stable:

// ==UserScript==
// @name        BlobTest
// @namespace   Violentmonkey Scripts
// @match       *://*.*/*
// @grant       GM_xmlhttpRequest
// @grant       GM_registerMenuCommand
// @require     https://cdn.jsdelivr.net/npm/jszip@3.3.0/dist/jszip.min.js
// ==/UserScript==

GM_registerMenuCommand("Download Images", () => {
  const zip = new JSZip();
  let requested = 0,
      completed = 0;
  const images = document.querySelectorAll(`img[src*='gif'],img[src*='jpg'],img[src*='png']`);

  images.forEach(img => {
    GM_xmlhttpRequest({
        method: "GET",
        headers: {"Referer": document.URL},
        url: img.src,
        context: ++requested,
        responseType: "arraybuffer", // blob should work too but throws error even in stable version
        onload: response => {
            const filename = ("000" + response.context).slice(-3),
                  filexten = [["image/gif",   "gif"],
                              ["image/jpeg",  "jpg"],
                              ["image/png",   "png"]]
                             .find(type => type[0] == /content-type:\s*([/\w]+)/i.exec(response.responseHeaders)?.[1]);
            zip.file(`${filename}.${filexten[1]}`, response.response);
            completed++;
        }
    });
  });

  let waiting = setInterval(() => {
    if (completed == images.length) {
      clearInterval(waiting);
      zip.generateAsync({type: "blob"})
      .then(zipFile => {
        const link = document.createElement("a");
        link.href = URL.createObjectURL(zipFile);
        link.download = "images.zip";
        document.body.appendChild(link);
        link.click();
      });
    }
  }, 1000);
});

Suspecting it may be caused by another extension, I've tested it in a new profile and got the same results.

What is the problem?

Security errors are thrown in the browser console when I try to obtain image data via GM_xhr.

How to reproduce it?

1. Install VM 2.12.8 RC 1 & test script.
2. Open Browser Console (Ctrl + Shift + J) and enable Content Messages from the settings cog.
3. Visit any website with images and invoke the command from the VM browser action popup.

What is the expected result?

After a moment, an images.zip download prompt should appear. The zip should contain all gif, jpg, and png images from the current page.

What is the actual result?

No images downloaded and errors in Browser Console:
Security Error: Content at <CURRENT URL> may not load data from blob:moz-extension://...
Security Error: Content at moz-extension://... may not load data from blob:moz-extension://...
TypeError: NetworkError when attempting to fetch resource.
... for each attempt to download an image.

Environment

• Browser: Firefox
• Browser version: 74.0 (64-bit)
• Violentmonkey version: 2.12.8 Release Candidate 1
• OS: Windows 10 1809

[tophf]

This is a known bug in FF: it applies page CSP to extension content scripts.
Interestingly, there's no problem in FF 68 ESR.

I've disabled the fast internal blob transfer in FF regardless of the version: 4b2d257.
If someone doesn't like that, post a convincing use case in https://bugzil.la/1294996.

RC2 is up.

[ghost]

Firefox CSP strikes again! Thank you for the quick investigation and solution. Was FPI also the breaking point in your testing as well? Maybe the FF bug will get a bit more attention if that can be confirmed.

[tophf]

I don't have any knowledge about FPI as I never investigated it so I can't say.