CSP Issues - At my wits end!

SkewHusky · May 11, 2025, 4:49pm

SO I’ve just moved to the Hosted Test with my extension, but when it loads in the Twitch interface it doesn’t seem to be respecting all the allowed URLs set in the developer config.

Content-Security-Policy: The page’s settings blocked the loading of a resource 
(connect-src) at https://video.bsky.app/watch/did%3Aplc%3A37x2qvt3z5iwuyzusvnvlepi/bafkreib76g6e7zgizticof4i7nkqz5rx64ymkqigimbswuzl7hqjhjntfu/playlist.m3u8 
because it violates the following directive: 
“connect-src 'self' https://lzgcylllyglx755qp8ay2q9a82orlh.ext-twitch.tv https://api.twitch.tv 
wss://pubsub-edge.twitch.tv https://public.api.bsky.app https://*.google-analytics.com 
https://stats.g.doubleclick.net https://www.googletagmanager.com”

But in the extension capabilities, Allowlist for URL Fetching Domains has:
https://public.api.bsky.app, https://video.bsky.app I have also added it the Allowlist for Media Domains

As can be seen in the error, the first url is in the allowed list (added this one earlier during development), but the second one is not added. Additional if I remove all the urls, or make it a wildcard nothing changes, the list in the error message stays the same.

BarryCarlyon · May 11, 2025, 8:16pm

Caching.

It’s a weird caching hiccup.

Theres no sensible repro case for it (never caused it myself)

your browser is seemingly hanging on to a dirty csp.

It could be fixed with a cache clear or reuploading files for hosted test

SkewHusky · May 11, 2025, 9:16pm

So I’ve tried

Disabled cache in Firefox Dev tools
Separate browser window (Chrome instead of Firefox)
An entirely different computer (on a different Twitch account)
Uploaded a new file zip

And all still exhibit the same issue, I can only think it’s something on the Twitch side that hasn’t updated properly or is cached

SkewHusky · May 11, 2025, 9:45pm

So I’ve also just tried

Creating a new version in the same extension
Creating a brand new extension, adding the appropriate entries in the developer console from the get go

On the new extension, the fetching domains had both: https://public.api.bsky.app,https://video.bsky.app

the api one seems to work fine, as the data loads from the API but the video one doesn’t work

SkewHusky · May 12, 2025, 12:18am

And just like that it now seems to have fixed itself, don’t you just love bugs like that!

BarryCarlyon · May 12, 2025, 9:03am

caching or dns, then it’s always dns…

But yeah… a weird one