Firequery can run into trouble with CSPs #38
Description
So, um, it looks like firequery is injecting some script into pages that can run into trouble with CSP.
I noticed this because I was having trouble logging into accounts.firefox.com (hoping to tag some stuff on AMO), and when I opened the devtools, this message caught my eye:
Content Security Policy: The page's settings observed the loading of a resource at self ("script-src https://accounts.firefox.com https://accounts.cdn.mozilla.net"). A CSP report is being sent.
The message is attributed to line 382 of resource://firequery-at-binaryage-dot-com/lib/firequery-actor.js, which reads as follows:
win.eval(this.watcher);Given the context,
let win = this.parent.window.wrappedJSObject;
win.addEventListener("jQueryDetected", this.onJQueryDetected, true);
win.addEventListener("firequery-event", this.onDataModified, true);
win.eval(this.watcher);the cause of the problem is obvious: you're calling the debuggee's eval function, which is not permitted by the debuggee's CSP.
I was poking around MDN looking for something that might help, and I ran across a link to mozilla bug #1042840, which removed [Component.utils.evalInWindow] because ...
Now that eval() resolves on Xrayed globals, this is unnecessary. The only functional difference between the two is that evalInWindow implicitly clones its return value, and we've decided in bug 1042824 that we want to move away from implicit cloning.
(Apparently, the change allowing eval on Xray'ed global objects was part of bug #933681.)
So it seems like maybe the problem would go away if you skipped the .wrappedJSObject here (and before the other win.eval call)?