Prerequisites
I tried to reproduce the issue when...
Description
On sites whose CSP uses a nonce on script-src/script-src-elem (so 'unsafe-inline' is neutralized) but explicitly allows blob:, uBO's scriptlet injector logs a CSP violation error on page load, even though scriptlet injection itself succeeds.
This is a side effect of the fix in #235 by @gorhill . uBO's Firefox main-world injector tries a synchronous inline <script> first (to preserve execution-order guarantees before page scripts run), and falls back to a blob: URL if that's blocked. On CSP configurations like the one below, the inline attempt always fails – the nonce means the browser will never make an exception for it – so the fallback always succeeds, but not before Firefox logs a violation.
If we verify the CSP response headers, we could easily avoid this error noise, while keeping the functionality the same. Namely, since uBO already receives the page's CSP response headers in onHeadersReceived, it can evaluate ahead of time whether 'unsafe-inline' would be honored for a given hostname (nonce/hash/'strict-dynamic' present) and skip straight to the blob: path when it won't, instead of attempting and failing every time.
A specific URL where the issue occurs.
Steps to Reproduce
- Load
https://www.threads.com/ with uBO enabled and default filter lists active (default Cookie Notices consent scriptlets trigger this – no custom rule needed).
- Open the browser console.
- Observe the CSP violation logged on load. (Reproduction can be intermittent on the very first load – a separate, unrelated timing issue in the same code path sometimes makes the inline attempt fail before it even reaches the CSP check, silently. If no error appears, reload once or twice.)
- Disable uBO and reload – the error no longer appears, confirming it originates from uBO's scriptlet injection attempt.
Expected behavior
No CSP violation logged – the fallback already handles this case correctly, so the error is spurious noise about an attempt uBO could have skipped.
Troubleshooting information
uBlock Origin: 1.72.2
Firefox: 152
filterset (summary):
network: 182732
cosmetic: 43243
scriptlet: 33623
html: 3642
listset (total-discarded, last-updated):
default:
user-filters: 0-0, never
ublock-filters: 52748-73, now
ublock-badware: 10287-27, now
ublock-privacy: 4064-2, now
ublock-unbreak: 2841-1, now
ublock-quick-fixes: 488-13, now
easylist: 86800-140, now
easyprivacy: 55952-40, now
urlhaus-1: 48005-11, now
plowe-0: 3523-1030, now
filterset (user): [empty]
userSettings: [none]
hiddenSettings: [none]
supportStats:
allReadyAfter: 1111 ms
maxAssetCacheWait: 20 ms
cacheBackend: indexedDB
Prerequisites
I tried to reproduce the issue when...
Description
On sites whose CSP uses a nonce on
script-src/script-src-elem(so'unsafe-inline'is neutralized) but explicitly allowsblob:, uBO's scriptlet injector logs a CSP violation error on page load, even though scriptlet injection itself succeeds.This is a side effect of the fix in #235 by @gorhill . uBO's Firefox main-world injector tries a synchronous inline
<script>first (to preserve execution-order guarantees before page scripts run), and falls back to ablob:URL if that's blocked. On CSP configurations like the one below, the inline attempt always fails – the nonce means the browser will never make an exception for it – so the fallback always succeeds, but not before Firefox logs a violation.If we verify the CSP response headers, we could easily avoid this error noise, while keeping the functionality the same. Namely, since uBO already receives the page's CSP response headers in
onHeadersReceived, it can evaluate ahead of time whether'unsafe-inline'would be honored for a given hostname (nonce/hash/'strict-dynamic'present) and skip straight to theblob:path when it won't, instead of attempting and failing every time.A specific URL where the issue occurs.
https://www.threads.com/Steps to Reproduce
https://www.threads.com/with uBO enabled and default filter lists active (default Cookie Notices consent scriptlets trigger this – no custom rule needed).Expected behavior
No CSP violation logged – the fallback already handles this case correctly, so the error is spurious noise about an attempt uBO could have skipped.
Troubleshooting information