diff --git a/packages/react-devtools-extensions/src/injectGlobalHook.js b/packages/react-devtools-extensions/src/injectGlobalHook.js index 550e2f38512aa..390084ead20da 100644 --- a/packages/react-devtools-extensions/src/injectGlobalHook.js +++ b/packages/react-devtools-extensions/src/injectGlobalHook.js @@ -31,8 +31,12 @@ window.addEventListener('message', function(evt) { reactBuildType: evt.data.reactBuildType, }; chrome.runtime.sendMessage(lastDetectionResult); + + // Inject the backend. This is done in the content script to avoid CSP + // and Trusted Types violations, since content scripts can modify the DOM + // and are not subject to the page's policies } else if (evt.data.source === 'react-devtools-inject-backend') { - //Inject the specified script + // the prototype stuff is in case document.createElement has been modified var script = document.constructor.prototype.createElement.call(document, 'script'); script.src = chrome.runtime.getURL('build/backend.js'); script.charset = "utf-8"; diff --git a/packages/react-devtools-extensions/src/main.js b/packages/react-devtools-extensions/src/main.js index d5ff4a40c268c..7649d099f73c5 100644 --- a/packages/react-devtools-extensions/src/main.js +++ b/packages/react-devtools-extensions/src/main.js @@ -138,14 +138,10 @@ function createPanelIfReactLoaded() { chrome.devtools.inspectedWindow.eval( `window.postMessage({ source: 'react-devtools-inject-backend' });`, function(response, error) { - if (error) { - console.log(error); - } - - if (typeof done === 'function') { - done(); + if (error) { + console.log(error); + } } - } ); const viewElementSourceFunction = createViewElementSource(