Issue 6744 - Fixed wrapper injection on Chrome 67

inject.preload.js

Index: inject.preload.js
===================================================================
--- a/inject.preload.js
+++ b/inject.preload.js
@@ -363,15 +363,26 @@
   if (typeof sandbox != "string" || /(^|\s)allow-scripts(\s|$)/i.test(sandbox))
   {
     let script = document.createElement("script");
+    let code = "(" + injected + ")('" + randomEventName + "');";
+
     script.type = "application/javascript";
     script.async = false;
-    // Firefox 58 only bypasses site CSPs when assigning to 'src'.
-    let url = URL.createObjectURL(new Blob([
-      "(" + injected + ")('" + randomEventName + "');"
-    ]));
-    script.src = url;
-    document.documentElement.appendChild(script);
+
+    // Firefox 58 only bypasses site CSPs when assigning to 'src',
+    // while Chrome 67 only bypasses site CSPs when using 'textContent'.
+    if (browser.runtime.getURL("").startsWith("chrome-extension://"))

[Sebastian Noack, 2018/06/14 21:03:09]

FWIW, I'm not too happy with this check, but I don't have a better idea.
Ideally, we'd just try to load the script from the blob: URL and then fall back
to textContent, but while this would fix the wrapper, there still would be a
failed request logged to the console.

[kzar, 2018/06/15 07:52:07]

Acknowledged.

+    {
+      script.textContent = code;
+      document.documentElement.appendChild(script);
+    }
+    else
+    {
+      let url = URL.createObjectURL(new Blob([code]));
+      script.src = url;
+      document.documentElement.appendChild(script);
+      URL.revokeObjectURL(url);
+    }
+
     document.documentElement.removeChild(script);
-    URL.revokeObjectURL(url);
   }
 }