In The Thunderbird Release Channel (137.0.2) There Are Now Content-Security-Policy Errors in the Debug Console

[WoofGrrrr]

My userChrome.js has been adding <style> elements into the sections of some pages, but now that I have switched from the ESR to the Release Channel, I am seeing the following error:

The page’s settings blocked an inline style (style-src-elem) from being applied because it violates the following directive: “default-src chrome:

Apparently this is caused by Content Security Policy settings.

I am trying figure out how to change these settings, but if anyone has any tips, could you please let me know?

Thanks,
---Mark

[WoofGrrrr]

Also now seeing this:

Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at https://addons.thunderbird.net/static/img/addon-icons/default-32.png because it violates the following directive: “img-src chrome: data: moz-icon:” GlobalPopupNotifications.sys.mjs:1035:18

I tried adding this to manifest.json:

"content_security_policy": "default-src 'self'; style-src-elem 'self' 'unsafe-inline'; img-src addons.thunderbird.net;",

But it didn't help.

I tried tall these:

• addons.thunderbird.net
• 'addons.thunderbird.net'
• https://addons.thunderbird.net
• 'https://addons.thunderbird.net'
• https://addons.thunderbird.net/
• 'https://addons.thunderbird.net/'

[WoofGrrrr]

I seem to have been able to work past most of this, but not the problem with img-src

I suspect it has to do with the fact the manifest does NOT specify the icons, so Thunderbird itself is defaulting to its "own" icons at addons.thunderbird.net. However, if it's going to do that, its Content Security Policy should at least allow for it. I have created Bug 1961490

I even tried using the full path to the icon:

"content_security_policy": "default-src 'self'; script-src-elem 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; img-src http://addons.thunderbird.net/ http://addons.thunderbird.net/static/img/addon-icons/default-32.png;",

[WoofGrrrr]

I have continued to look into this, and I have a much better understanding now.

I wrote my userChrome.js script for my own use only.  No one else gave me the code, and I won't be sharing it with anyone.  So I'm not concerned with the potential security issues of what it's doing.

I have made changes to the userChromeJS extension for my own use, but only to add more window types that it runs userChrome.js for. After years of use, my script does a whole lot now.

Now I have added "content_security_policy" to the Manifest and things are now working as I want. I do understand that I am fully responsible for the consequences if what my userChrome.js script does.

I won't be sharing this change to the Manifest - or my script - with anyone.

I have not found a fix for the img-src. It appears this might be a problem with Thunderbird itself: Web Extensions with No Icons in the Manifest Are Getting Content-Security-Policy (img-src) Error