Switch remaining CSP-vulnerable main world script injection to scripting API

We already migrated most but not all uses of [`window.injectScript()`](https://github.com/EFForg/privacybadger/blob/7d8d051f8457b55a074afd6e64bc5ca441add88d/src/js/contentscripts/utils.js#L29-L44) to the `scripting` API:

- https://github.com/EFForg/privacybadger/commit/c42ec2346924101240a1188c6220d91b06de143c?w=1
- https://github.com/EFForg/privacybadger/commit/b5f4d16937b1fd3f07371173531ac6059ea43fb1?w=1
- https://github.com/EFForg/privacybadger/commit/30b5b4b05d48df50676212ea292cdb0c679a1840?w=1

Let's migrate the rest (search for `injectScript` in the MV3 branch).

The main problem with `window.injectScript()` is that it is subject to page CSPs. This means learning from canvas fingerprinting and local storage is broken on sites with restrictive CSPs (like this very site probably). We pollute the page dev tools console and/or the Errors button on `chrome://extensions/` when this happens.

Related issues: #1793, #1865

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Switch remaining CSP-vulnerable main world script injection to scripting API #3053

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Switch remaining CSP-vulnerable main world script injection to scripting API #3053

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions