I made a browser extension for both Chrome and firefox. Firefox one is being developed using the web extension API, and therefore in these two extensions there are minimal differences in the code. As an important feature in the extension, some HTML elements become part of the web page through Content Scripts. This also includes downloading images hosted on a server and serving via https. Now these images upload in chrome when the extension runs on top of twitter and github. But, interestingly, images do not load at all in firefox when the corresponding extension works via twitter and github. Even more interesting is the fact that the content-script-policy set by twitter in the response header prohibits image loading and, therefore, firefox behaves correctly. So my question is basically, is Chrome breaking CSP here?
Attaching the csp kit via twitter here -
script -src 'nonce-j0GK1zjoBy82 / ZWhR7gw + g ==' https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https: // graph .facebook.com https://twitter.com 'unsafe-eval' https: //.twimg.com https://api.twitter.com https://analytics.twitter.com https: //publish.twitter. com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https: // www.google-analytics.com 'self'; self-representation of ancestors; font-src https://twitter.com https: //.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https: //.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https: //.giphy.com https: //.twimg.com https://pay.twitter.com https://analytics.twitter.com https: // media.riffsy.com https://upload.twitter.com https://api.mapbox.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https: //.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline'https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com ; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https: //.twimg.com https://player.vimeo.com https://pay.twitter.com https: // www .facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https : //upload.twitter.com https://s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https: //.giphy.com https://twitter.com https: //.twimg.com data: https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https: //.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https: // www. google.com https://stats.g.doubleclick.net https: //*.tiles.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false ;
"img-src". , , , script -, . ?