| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by gear54rus 433 days ago
	One of the possible workarounds would be to just remove the damn header before it causes any further inconvenience. I think they do allow `webRequest` API usage in the store, don't they?

2 comments

Removing security headers like Content-Security-Policy is forbidden by the addons.mozilla.org policy.

I don't think this is being enforced in practice, thankfully.

It is. It happened to us a few weeks ago.

That's crazy. Did it happen to a public extension or an unlisted one?

Public, with about half a million installations.

I think it was noticed only because this version had a major bug that broke a bunch of websites.

We modified the CSP to inject a per user generated nonce that exempts it script from the policy.

They said this was not allowed and removed it from the extension store.