Insecure CSP value "'unsafe-eval'" in directive 'script-src' - javascript

while trying to load a third-party js file into content scripts in chrome extension. I'm facing an unsafe-eval error
My manifest.json looks like this
{
"manifest_version": 3,
"name": "Test",
"version": "1.0",
"host_permissions": ["https://mail.google.com/"],
"content_scripts": [
{
"matches": [
"https://mail.google.com/*"
],
"js": ["3rdparty.js", "code.js"],
"run_at": "document_end"
}
]
}
after loading I'm receiving this error
Error logged: EvalError: Refused to evaluate a string as JavaScript
because 'unsafe-eval' is not an allowed source of script in the
following Content Security Policy directive: "script-src 'self'".
so, I have tried adding csp to the manifest file
{
...,
"content_security_policy": {
"extension_pages": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}
}
then I'm receiving this error in chrome telling that its unable to load the extension
'content_security_policy.extension_pages': Insecure CSP value
"'unsafe-eval'" in directive 'script-src'.

I'm afraid you cannot use 'unsafe-eval' in manifest version 3
Are you executing remote code or arbitrary strings?
You can no longer execute external logic using chrome.scripting.executeScript({code: '...'}), eval(), and new Function().
You have to move all your script into remote or local files.
You may generate scripts on a remote file (eg. php) and execute it using chrome.scripting.executeScript instead of using eval() or consider migrating back to MV2.

Related

Error when i try to use https://apis.google.com/js/api.js in my chrome extension

I am working on a extension that will get your events on your google calendar. I followed this tutorial here. I got it working on my browser by hosting it using python, but when I load my extension into chrome it does not work. This is the error:
Refused to load the script 'https://apis.google.com/js/api.js' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
here is my manifest.json:
{
"manifest_version": 2,
"name": "Google Calendar Extension",
"description": "Gets google calendar api and displays future events.",
"version": "1.0",
"browser_action": {
"default_icon": "icon.png",
"default_popup": "index.html"
},
"Content-Security-Policy": "script-src 'self' https://apis.google.com ; object-src 'self'"
}
Any way to fix it or do I have to do it another way

Chrome extension refused to load the script for Firebase

I am trying to setup firebase database for my chrome extension. However it still refuse to load the script even after I added content_security_policy
console error
"content_security_policy":"script-src 'self' https://www.gstatic.com/ https://*.firebaseio.com https://www.googleapis.com; object-src 'self'",
<script defer src="https://www.gstatic.com/firebasejs/7.11.0/firebase-app.js"></script>
<script defer src="https://www.gstatic.com/firebasejs/7.11.0/firebase-database.js"></script>
You must specify those 2 links in your manifest file under the "content_security_policy" property like so:
"content_security_policy": "script-src 'self' https://www.gstatic.com/firebasejs/7.11.0/firebase-app.js https://www.gstatic.com/firebasejs/7.11.0/firebase-database.js https://www.googleapis.com https://*.firebaseio.com; object-src 'self'"

Chrome - Still getting "refused to load script due to CSP" even after using "unsafe-inline"

This is for a class project that is due very soon, so I am OK with the unsafe-inline (since people won't actually be using our app).
I keep getting these errors
and have tried to find solutions here and elsewhere.
This is in my manifest.json file
{
"name": "Getting Started Example",
"version": "1.0",
"description": "Build an Extension",
"permissions": ["activeTab", "declarativeContent", "storage"],
"content_security_policy": "script-src 'unsafe-inline' http://*
https://ajax.googleapis.com; object-src 'unsafe-inline' http://*"}
"background": {
"scripts": ["background.js"],
"persistent": false
},
I initialize Firebase using the code from the Firebase site in my options.html
<script src="https://www.gstatic.com/firebasejs/5.0.2/firebase.js"></script>
<script>
var config = {stuff from website};
firebase.initializeApp(config);
</script>
I have also tried putting this in my options.js file without the script tags, but then I get "firebase is not defined"
How can I stop getting this error? I thought I was giving it all the permissions, but I still keep getting the same error.
The lines that the error points to, in my options.html, are:
LINE 1
<!DOCTYPE html>
LINE 13 is just < script > on a single line...

Content Security Policy in Chrome App

My Chrome app has the following manifest:
{
"name": ",
"version": "1.0.3",
"manifest_version": 2,
"description": "Chrome Extension for.",
"icons": {
"16": "images/test.png",
"19": "images/test.png",
"256": "images/test.png"
},
"app": {
"background": {
"scripts": [
"background.js"
]
}
},
"sandbox": {
"js": [
"lib/test-api.js"
]
},
"permissions": [
"<all_urls>",
"notifications",
"storage",
"videoCapture"
]
}
I have a script file that runs eval. I have read about CSP and sandboxing, but I still get this error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is
not an allowed source of script in the following Content Security
Policy directive: "default-src 'self' chrome-extension-resource:".
Note that 'script-src' was not explicitly set, so 'default-src' is
used as a fallback.
Have you tried adding the CSP line to your manifest as per your CSP link?
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
What you're showing is not a Chrome extension, but a Chrome app.
Chrome extensions will let you relax the default Content Security Policy; Chrome Apps won’t. (source: CSP docs for Chrome apps; note: this page is different from CSP docs for Chrome extensions).
The next line applies to apps and extensions:
The Content security policy does not apply to a specific script, but a whole page. So, you can only declare a sandbox for a whole page (using the sandbox.pages key in the manifest file). You cannot use "js" as a key in sandbox.
In a Chrome extension, the CSP can be relaxed, e.g. allowing eval using the following policy:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
To turn your app in an extension: Do not use the apps key, but use a background key. With the following manifest, you'll be able to use eval in your background page:
{
"name": "Whatever",
"version": "1.0.3",
"manifest_version": 2,
"background": {
"scripts": [
"background.js"
]
},
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}
(omitted icons / permissions because they're not relevant for the example; omitted sandbox because it's not needed)

Use AngularJS in a Chrome extension

I want to use AngularJS in a Chrome extension but I have an error like this:
Error: SECURITY_ERR: DOM Exception 18
Error: An attempt was made to break through the security policy of the user agent.
at new listConnection
manifest.json :
{
"name": "Chrome auditor connection",
"version": "1",
"icons": { "48": "icone.png",
"128": "icone.png" },
"description": "Chrome-auditor-connection is an extension for Google Chrome browser. It ensures that nobody connects to your browser with your profile.",
"background": {
"scripts": [
"chrome_ex_oauthsimple.js",
"chrome_ex_oauth.js",
"background.js"
]
},
"browser_action": {
"default_title": "Chrome auditor connection",
"default_icon": "icone.png",
"default_popup": "index.html"
},
"permissions": [
"storage"
],
"web_accessible_resources": ["index.html"],
"sandbox": {
"pages": ["index.html","index.js","angular.min.js"]
},
"manifest_version": 2
}
index.js :
function listConnection( $scope) {
$scope.connections = JSON.parse(localStorage['connectionHistory']);
}
I think the JSON.parse() is blocked by the Chrome "Content Security Policy" (CSP).
Do you have any solution?
Your index.js is sandboxed as defined in your manifest.json file.
"A sandboxed page will not have access to extension or app APIs"
So it can't access localstorage.
Remove the sandbox or use something like https://github.com/jamesmortensen/chrome-sandbox-storageAPI for sandboxed pages.
There are two answers for you:
Add ng-csp to your <html> tag, like this <html ng-csp ng-app="AngularAppName"> . See this SO answer
Add this line to manifest.json file
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self' "
Problems in your code
These are some of problems i see so far with code shared!.
Your index.html is being used as default_popup, web_accessible_resources and in sandbox Pages . It is functionally incorrect, what is you want to develop?
Why do you want to put angular.min.js in sandbox location?
Is index.js used by index.html, if so there is no need to list it explicitly.
Storage is an object per domain, your localstorage differs from sandbox and other pages.

Categories

Resources