Search code examples
javascriptfirefox-addonmetacontent-security-policy

Firefox blocks resource loading at self (“script-src”)

I'm trying to create a to-do extension for firefox and I need to trigger a function when the delete button is clicked (line 8).

function viewPrevious(){
  var prom = browser.storage.sync.get(null);
  prom.then((res) => {
    var text = '<ul class="list-group list-group-flush">';
    var i;
    for (i = 0; i < res.todos.length; i+=4) {
      text+='<ul class="list-group list-group-flush"><li class="list-group-item">'+res.todos[i]+'   '+res.todos[i+1]+'   '+res.todos[i+2]+'</li>';
      text+='<button type="button" class="btn btn-primary" onClick="myFunc" id='+i+'">Delete</button>';
    }
    text+='</ul>';
    document.getElementById("oldTodos").innerHTML = text;
    window.onload=function(){
      console.log("KKOO");
      var promii = browser.storage.sync.get(null);
      promii.then((res) => {
        for(i=0;i<res.todos.length;i+=4){
          console.log("redda");
          document.getElementById(i.toString()).addEventListener('click',function(){
            console.log('kjk'+i);
            var removingItem = browser.storage.sync.remove(i);
            removingItem.then(function(){
              viewPrevious();
            });
          });
        }
      });
    }
  });
}

I have added the onClick="myFunc" in line 8 and the function is,

function myFunc(){
  console.log("ABC");
}

when I run this and click the button it gives me the following error

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: onclick attribute on BUTTON element.

I tried using meta tags and giving script-src 'unsafe-inline', but it also did not work. And I dont have a good idea about this content security policy

Is there any another way for making this work or am I doing something wrong?

Solution

  • Your issue here is the HTML onclick attribute. To do this correctly, you need to use addEventListener like you are on the later click listener.

    // Untested, but it should put you on the correct path
var ul = document.createElement('ul');
ul.classList.add('list-group', 'list-group-flush');

var i;
for (i = 0; i < res.todos.length; i+=4) {
    // I'm ignoring <ul class="list-group list-group-flush"> from your example, because
    // this doesn't look like you intend to be nesting lists
    var li = document.createElement('li';
    li.classList.add('list-group-item');

    // In your example, you had left an open XSS vulnerability by simply
    // concatenating user todos with your markup, textContent is much safer
    li.textContent = res.todos[i]+'   '+res.todos[i+1]+'   '+res.todos[i+2];
    ul.appendChild(li);

    var button = document.createElement('button');
    button.classList.add('btn', 'btn-primary');
    button.addEventListener('click', myFunc);
    button.id = i;

    ul.appendChild(button);
}
document.getElementById("oldTodos").innerHTML = '';
document.getElementById("oldTodos").appendChild(ul);