Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: mv2 firefox csp header #27770

Merged
merged 53 commits into from
Nov 7, 2024
Merged

fix: mv2 firefox csp header #27770

merged 53 commits into from
Nov 7, 2024

Conversation

itsyoboieltr
Copy link
Contributor

@itsyoboieltr itsyoboieltr commented Oct 10, 2024

Description

Open in GitHub Codespaces

This PR implements a workaround for a long-standing Firefox MV2 bug where the content-security-policy header is not bypassed, triggering an error.

The solution is simple: we check if the extension is MV2 running in Firefox. If yes, we override the header to prevent the error from raising.

Related issues

Fixes: #3133, https://github.com/MetaMask/MetaMask-planning/issues/3342

Manual testing steps

  1. Opening github.com should not trigger the CSP error

Screenshots/Recordings

Before

csp-toggle-off reprod

After

csp-toggle-on fixed

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

@itsyoboieltr itsyoboieltr requested a review from a team as a code owner October 10, 2024 17:29
Copy link
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@itsyoboieltr itsyoboieltr requested a review from kumavis as a code owner October 14, 2024 20:45
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot
18.8% Coverage on New Code (required ≥ 80%)

See analysis details on SonarCloud

@itsyoboieltr itsyoboieltr dismissed stale reviews from DDDDDanica and davidmurdoch via 75e16be November 4, 2024 20:11
Copy link
Contributor

@danjm danjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me overall. Has anyone manually tested with a prod-like build?

@metamaskbot
Copy link
Collaborator

Builds ready [cec02cb]
Page Load Metrics (2095 ± 90 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint30924752030432207
domContentLoaded17542464206817785
load17632477209518890
domInteractive229045199
backgroundConnect9153283316
firstReactRender532891276431
getState56619188
initialActions01000
loadScripts12301777151013967
setupStore1485442411
uiStartup203628622422242116
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 3 KiB (0.07%)
  • ui: 2.03 KiB (0.03%)
  • common: 604 Bytes (0.01%)

@itsyoboieltr
Copy link
Contributor Author

@danjm I manually tested it today with a prod-like build using the command:

yarn webpack --env production --no-lavamoat --browser firefox

it worked for me locally.

@DDDDDanica
Copy link
Contributor

DDDDDanica commented Nov 7, 2024

Hey @itsyoboieltr I used the build from bot above and tested locally the zip in firefox. I noticed that in firefox page we won't receive any errors, while in extension log we still have it, is this expected?
截屏2024-11-07 11 26 46

截屏2024-11-07 11 28 25

@itsyoboieltr
Copy link
Contributor Author

Hi @DDDDDanica, thank you for checking out and testing the PR! The error logs in the extension are unrelated to the issue. This PR is about fixing the CSP error messages for websites (not the extension itself). The screenshot you sent seems to be showing a pre-existing error. I could reproduce the same error messages in the console by running the current build from develop.

@DDDDDanica
Copy link
Contributor

@itsyoboieltr thanks for the explanation, just to make sure it is not related, approve now !

@itsyoboieltr itsyoboieltr added this pull request to the merge queue Nov 7, 2024
Merged via the queue into develop with commit 54c563e Nov 7, 2024
76 checks passed
@itsyoboieltr itsyoboieltr deleted the fix-firefox-csp branch November 7, 2024 18:41
@github-actions github-actions bot locked and limited conversation to collaborators Nov 7, 2024
@metamaskbot metamaskbot added the release-12.8.0 Issue or pull request that will be included in release 12.8.0 label Nov 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
release-12.8.0 Issue or pull request that will be included in release 12.8.0 team-extension-platform
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Inpage injection fails in Firefox under some CSP settings
7 participants