I have a web page with a CSP like this:
<meta http-equiv="Content-Security-Policy" content="script-src 'self' https://d2wy8f7a9ursnm.cloudfront.net https://cdn.polyfill.io https://browser-update.org https://static.zdassets.com https://ekr.zdassets.com https://mysite.zendesk.com wss://mysite.zendesk.com https://*.zopim.com https://*.googleapis.com 'unsafe-inline' 'unsafe-eval'">
For privacy reasons, in this post, I replaced the name of my company with mysite. Also note that the use of unsafe-eval is because I have some legacy code that requires it for templating.
My site includes bugsnag error monitoring, and I picked up a particular error for a user where the breadcrumbs show XmlHttpRequest calls to suspicious domains that sound like adware and/or malware. There is also some console log string "swbtest loaded".
Although it's possible that the user disabled the Firefox setting security.csp.enable, I find it highly unlikely. This user is a customer I emailed with, and she doesn't seem like the type to do that.
My questions are:
(1) Does this look like a Firefox extension/plugin?
(2) If so, how is it bypassing my CSP? Or does unsafe-eval allow extensions to access?
(3) Would it help to add a connect-src rule for the CSP?
Thanks.
Extensions don't care about the page CSP at all. They can run code alongside your code (where they are not bound by the page CSP), or inject arbitrary code in the page JavaScript context.
Further, extensions have enough power to override the page CSP on the fly (e.g. by rewriting response headers), but they usually don't need it.
There's nothing that you, the website author, can do to prevent extensions interfering with your page.
Unfortunately, that means "noise" in reports you get.
Of note, "swbtest" seems to be related to Selenium browser automation / test suite.