Remote code execution inside a content script
Hello, I've been banging my head on this one for a while.
I'm trying to implement FullStory support in a CSUI based extension, but the content policy for MV3 is giving me a lot of headaches.
Following the official documentation (https://help.fullstory.com/hc/en-us/articles/360020622854-Can-I-use-Content-Security-Policy-CSP-with-FullStory-) isn't working well because their configurations and CSP include unsafe rules under MV3, causing the extension to be unable to load in a browser (And well, obviously not adding the CSP rules just causes any usage of the script to fail as it can't get through CSP)
Trying to integrate the script in the background worker isn't also going anywhere, as the script heavily ties in the DOM variables.
I've also tried to follow a similar approach to the google analytics example, using a google tag manager import directly in the content script component. This doesn't seem to work properly though, I get the following error regardless of me using the url: scheme or just importing the link directly as the example does
So I'm starting to run out of ideas here. Any ideas or suggestions, @lab?
I'm trying to implement FullStory support in a CSUI based extension, but the content policy for MV3 is giving me a lot of headaches.
Following the official documentation (https://help.fullstory.com/hc/en-us/articles/360020622854-Can-I-use-Content-Security-Policy-CSP-with-FullStory-) isn't working well because their configurations and CSP include unsafe rules under MV3, causing the extension to be unable to load in a browser (And well, obviously not adding the CSP rules just causes any usage of the script to fail as it can't get through CSP)
Trying to integrate the script in the background worker isn't also going anywhere, as the script heavily ties in the DOM variables.
I've also tried to follow a similar approach to the google analytics example, using a google tag manager import directly in the content script component. This doesn't seem to work properly though, I get the following error regardless of me using the url: scheme or just importing the link directly as the example does
Unknown url scheme or pipeline 'https:'
So I'm starting to run out of ideas here. Any ideas or suggestions, @lab?
FullStory Support
Content-Security-Policy tells the browser what your page should interact with, and that lets the browser stop it if something on your page (maybe something maliciously injected via something like a...