Mozilla team disabled my addon because of Content Security Policy - how to set manifest correctly?

Question

I have an addon called Numov (VanillaJS app), which would feed the user new movies. When a user clicks the thumbnail, a box would appear and show the trailer of that movie. Before, Mozilla team did not bother about my manifest setting, this one:

"content_security_policy": "script-src 'self' https://youtube.com https://www.youtube.com https://s.ytimg.com https://ytimg.com; object-src 'self'"

But, just yesterday, when I updated my app to version 2 (converted to ReactJS), I don't know if they have completely changed their rules; they disabled my addon because of that CSP. So I tried removing it and tested locally, as expected it won't allow me to communicate to youtube because I removed that setting in my manifest.

So what should I do/add with my manifest file now?

By the way, I can give you the web- versionlink of the app, but it won't reproduce the error because it should be installed within your Firefox browser first.

This is the addon's link: https://addons.mozilla.org/en-US/firefox/addon/numov/

Answer 1

The issue is that extensions are not supposed to download and execute remote javascript. But your extension's content security policy is saying that it allows javascript to be downloaded and executed from those four youtube domains.

Depending on what youtube APIs you're using you'll need to locally include those javascript files in your extension bundle. Afterwards you'll need to remove those four entries from your content security policy.

More information on Mozilla's Content Security Policy requirements for extensions can be found here: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#Default_content_security_policy