META: content_security_policy for extension contexts

[carlosjeurissen]

To clarify: this issue is about CSP specifically for extension contexts. For making changes to CSP of websites, please see other issues like #7.

This issue has been split up in separate issues and this main issue will function as an overview for everything related to the content_security_policy property for extension contexts.

W3C webextensions issues related to content_security_policy

Open

• Proposal: content_security_policy.content_scripts #95
• Proposal: replacement for deprecated report-uri for content_security_policy #97
• Inconsistency: Default content_security_policy #98
• Inconsistency: custom content_security_policy browser restrictions #99
• Inconsistent support for wildcards in content security policy overrides #163

Closed

• Inconsistency: content_security_policy syntax #96
• it's impossible to integrate google analytics with MV3 #152

Individual browser bugs related to content_security_policy

A summary of some of the bugs which appear in some (old) browsers.

Open

• In Chromium, script-src-elem is handled incorrectly. See Chromium bug 1255412
• https://bugs.chromium.org/p/chromium/issues/detail?id=1247690
• In Firefox. Including report-sample and/or strict-dynamic completely breaks the CSP and the extension will act as if it's not there. Firefox bug report

Approved / Work in Progress

• In Safari. Including the sandbox directive completely disables all CSS on extension pages like popups. Apple Developer Forums post and Apple Feedback Assistant ticket
• In Safari. Protocol source matches Apple Developer Forums post and Apple Feedback Assistant ticket

Shipped

• In Firefox Fennix and older Firefox versions about: protocol is needed in frame-ancestors for the inline options_ui page to work.