Plasma Integration extension injects its own scripts into pages where inline scripts are disallowed by Content Security Policy, which promptly get blocked by a browser, and then in pages where 'report-uri' directive is present browser sends two reports for every page, which causes the server-side reports log to be cluttered with violation reports caused by the extension. Steps to Reproduce: 1) Install Plasma Integration extension. 2) Go to page where Content Security Policy does not allow inline scripts, e.g. https://wandystan.eu/w/. 3) Open browser console. Actual Results: There are two errors like this: > Content Security Policy: Ustawienia strony zablokowały wczytanie zasobu „self” („script-src https://wandystan.eu”). Source: ( function() { f4207.... > Content Security Policy: Ustawienia strony zablokowały wczytanie zasobu „self” („script-src https://wandystan.eu”). Source: (function() { var oldCreateE.... And two requests to report URI such as https://wandystan.eu/varia/csp_report.php are sent. Expected Results: There are no errors and no violation is reported.
Resolved for now in plugin 1.1
OK, now it works as it should. Thanks!
Created attachment 129640 [details] Console output of test website mentioned in reproduction steps I am still getting the same CSP error within my console. This bug could've resurfaced. See attachment.
Host Version: 5.21.5 Extension Version: 1.8.0.1 And same issue here Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf inline blockiert ("script-src").
Still regularly running into this problem, is there any way to support?
Is this still an issue? The latest 1.9/2.0 version shouldn’t inject dynamic JavaScript anymore I think.