Even though I have added
"content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self'; script-src-elem 'self' 'unsafe-inline' " },
in manifest.json (Manifest V3) I am getting the error in Chrome Extension.
What may be the reason.
Complete error: Failed to load implementation: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'".
I attempted to follow this guide and add the "content_security_policy" tag to my manifest.json as
described in chrome documentation. But did not worked for me am I wrong or do I need to do anything else.
Thanks.
Related
I am trying to setup firebase database for my chrome extension. However it still refuse to load the script even after I added content_security_policy
console error
"content_security_policy":"script-src 'self' https://www.gstatic.com/ https://*.firebaseio.com https://www.googleapis.com; object-src 'self'",
<script defer src="https://www.gstatic.com/firebasejs/7.11.0/firebase-app.js"></script>
<script defer src="https://www.gstatic.com/firebasejs/7.11.0/firebase-database.js"></script>
You must specify those 2 links in your manifest file under the "content_security_policy" property like so:
"content_security_policy": "script-src 'self' https://www.gstatic.com/firebasejs/7.11.0/firebase-app.js https://www.gstatic.com/firebasejs/7.11.0/firebase-database.js https://www.googleapis.com https://*.firebaseio.com; object-src 'self'"
My chrome extension should fetch some remote resources from 3rd party API through HTTP request.
const getBoards = callback => {
fetch("https://gloapi.gitkraken.com/v1/glo/boards", {
credentials: "include"
})
.then(response => { ... })
.catch(err => { ... });
};
Unfortunately it throws the following error:
Refused to connect to 'https://gloapi.gitkraken.com/v1/glo/boards' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
After a bit of research, I found the chrome requirements to include the url in the manifest permissions and CSP string.
"permissions": [ ..., "https://gloapi.gitkraken.com/" ],
"content_security_policy": "default-src 'self' gloapi.gitkraken.com; script-src 'self' 'sha256-[...]'; style-src * 'unsafe-inline'; img-src 'self' data:;"
But instead of solving the first error these changes just caused another.
Ignored insecure CSP value "gloapi.gitkraken.com" in directive 'default-src'.
Is my CSP formatting wrong, or there's something else I should do in order to make this GET HTTP request work.
After a bit more of research I found a solution. The URL of the GitKraken API should be in connect-src property, instead of default-src. So my manifest now looks like this:
permissions: [ ..., "https://gloapi.gitkraken.com/" ],
"content_security_policy": "default-src 'self'; script-src 'self' 'sha256-[...]'; style-src * 'unsafe-inline'; img-src 'self' data:; connect-src https://gloapi.gitkraken.com/;"
More information:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src#Syntax
I want to create a chrome extension with javascript files stored local has to be executed. I got permission errors.
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' http://localhost:5000". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
My permissions in Manifest
"permissions" : ["activeTab"],
"content_security_policy": "script-src 'self' 'unsafe-eval' ; object-src 'self'"
I am getting the following error while setting the content-security-policy.
Error:
Refused to connect to 'http://localhost:3000/articles' because it
violates the following Content Security Policy directive: "default-src
'self' 'unsafe-eval' ws:". Note that 'connect-src' was not explicitly
set, so 'default-src' is used as a fallback.
I am explaining my code below.
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-eval' ws:;
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';">
In my code I am also connecting to json server to read/write the data into json file which run at http://localhost:3000/articles but here I am getting those related error and this is my angular4 code. I need some help to resolve this error.
If I understand your question right, I think your angular app runs on localhost:4200 and the API service on localhost:3000? This would explain why you have got that CSP warning as the request is from different source according to your current CSP configuration.
Also, ideally, the CSP should be delivered via HTTP header which means you will need some kind of server backing to support that. For example, you can have a ASP.NET app that hosts the angular app and the CSP then can be configured via web.config file.
In your case, if it's purely frontend, then perhaps you could alter your CSP setting to something like this. Hopefully it works for you.
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' http://localhost:3000/ 'unsafe-eval' ws:;
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';">
I am using jQuery simple whether plugin to get the whether and trying to create a chrome widget.
While loading the file as a chrome extensions, I am getting error, after looking all the help provided by google and here it self, still I am not able to resolve this issue.
Below is the error for yahoo whether
> jquery-2.1.3.min.js:4 Refused to load the script
> 'https://query.yahooapis.com/v1/public/yql?format=json&rnd=2016437&diagnosti…ces(1)%20where%20text=%22New%20Delhi%22)%20and%20u=%22c%22&_=1462326587463'
> because it violates the following Content Security Policy directive:
> "script-src 'self' blob: filesystem: chrome-extension-resource:".
Another error which is for font,
> Refused to load the font
> 'data:application/octet-stream;base64,AAEAAAAPAIAAAwBwR1NVQrD+s+0AAAD8AAAAQk…GIUViwQIhYsQNkRLEmAYhRWLoIgAABBECIY1RYsQMARFlZWVmzDAIBDCq4Af+FsASNsQIARAAA'
> because it violates the following Content Security Policy directive:
> "default-src *". Note that 'font-src' was not explicitly set, so
> 'default-src' is used as a fallback.
Used manifest code are
"content_security_policy": "script-src 'self'; object-src 'self' https://query.yahooapis.com/",
"permissions": [
"tabs", "<all_urls", "http://localhost/",
"http://*/*", "https://*/*", "https://query.yahooapis.com/*"
],
"content_scripts":
[{
"css": [
"css/component.css",
"css/tooltip-line.css",
"css/modal.css"
],
"js": [
"js/modernizr.custom.js",
"js/jquery-2.1.3.min.js",
"js/jquery.simpleWeather.min.js",
"js/handlebars-v4.0.5.js",
"js/moment.min.js",
"js/background.js"
],
"matches": [ "http://*/*", "https://*/*"]
}]
Also In my html file i am using this meta tag
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />
Can some one please help me to how i can solve this.
Your content-security-policy has "script-src 'self' which means scripts cannot be loaded from a third party URL.
You have specified yahoo API in the object-src directive. object-src directive (MDN) specifies valid sources for the <object>, <embed>, and <applet> elements.
To load the script from a third party, you have to specify in script-src directive like this:
"content_security_policy": "script-src https://query.yahooapis.com/ 'self'; ..."