I am trying to setup firebase database for my chrome extension. However it still refuse to load the script even after I added content_security_policy
console error
"content_security_policy":"script-src 'self' https://www.gstatic.com/ https://*.firebaseio.com https://www.googleapis.com; object-src 'self'",
<script defer src="https://www.gstatic.com/firebasejs/7.11.0/firebase-app.js"></script>
<script defer src="https://www.gstatic.com/firebasejs/7.11.0/firebase-database.js"></script>
You must specify those 2 links in your manifest file under the "content_security_policy" property like so:
"content_security_policy": "script-src 'self' https://www.gstatic.com/firebasejs/7.11.0/firebase-app.js https://www.gstatic.com/firebasejs/7.11.0/firebase-database.js https://www.googleapis.com https://*.firebaseio.com; object-src 'self'"
Related
Even though I have added
"content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self'; script-src-elem 'self' 'unsafe-inline' " },
in manifest.json (Manifest V3) I am getting the error in Chrome Extension.
What may be the reason.
Complete error: Failed to load implementation: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'".
I attempted to follow this guide and add the "content_security_policy" tag to my manifest.json as
described in chrome documentation. But did not worked for me am I wrong or do I need to do anything else.
Thanks.
My chrome extension should fetch some remote resources from 3rd party API through HTTP request.
const getBoards = callback => {
fetch("https://gloapi.gitkraken.com/v1/glo/boards", {
credentials: "include"
})
.then(response => { ... })
.catch(err => { ... });
};
Unfortunately it throws the following error:
Refused to connect to 'https://gloapi.gitkraken.com/v1/glo/boards' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
After a bit of research, I found the chrome requirements to include the url in the manifest permissions and CSP string.
"permissions": [ ..., "https://gloapi.gitkraken.com/" ],
"content_security_policy": "default-src 'self' gloapi.gitkraken.com; script-src 'self' 'sha256-[...]'; style-src * 'unsafe-inline'; img-src 'self' data:;"
But instead of solving the first error these changes just caused another.
Ignored insecure CSP value "gloapi.gitkraken.com" in directive 'default-src'.
Is my CSP formatting wrong, or there's something else I should do in order to make this GET HTTP request work.
After a bit more of research I found a solution. The URL of the GitKraken API should be in connect-src property, instead of default-src. So my manifest now looks like this:
permissions: [ ..., "https://gloapi.gitkraken.com/" ],
"content_security_policy": "default-src 'self'; script-src 'self' 'sha256-[...]'; style-src * 'unsafe-inline'; img-src 'self' data:; connect-src https://gloapi.gitkraken.com/;"
More information:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src#Syntax
I want to create a chrome extension with javascript files stored local has to be executed. I got permission errors.
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' http://localhost:5000". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
My permissions in Manifest
"permissions" : ["activeTab"],
"content_security_policy": "script-src 'self' 'unsafe-eval' ; object-src 'self'"
I am using jQuery simple whether plugin to get the whether and trying to create a chrome widget.
While loading the file as a chrome extensions, I am getting error, after looking all the help provided by google and here it self, still I am not able to resolve this issue.
Below is the error for yahoo whether
> jquery-2.1.3.min.js:4 Refused to load the script
> 'https://query.yahooapis.com/v1/public/yql?format=json&rnd=2016437&diagnosti…ces(1)%20where%20text=%22New%20Delhi%22)%20and%20u=%22c%22&_=1462326587463'
> because it violates the following Content Security Policy directive:
> "script-src 'self' blob: filesystem: chrome-extension-resource:".
Another error which is for font,
> Refused to load the font
> 'data:application/octet-stream;base64,AAEAAAAPAIAAAwBwR1NVQrD+s+0AAAD8AAAAQk…GIUViwQIhYsQNkRLEmAYhRWLoIgAABBECIY1RYsQMARFlZWVmzDAIBDCq4Af+FsASNsQIARAAA'
> because it violates the following Content Security Policy directive:
> "default-src *". Note that 'font-src' was not explicitly set, so
> 'default-src' is used as a fallback.
Used manifest code are
"content_security_policy": "script-src 'self'; object-src 'self' https://query.yahooapis.com/",
"permissions": [
"tabs", "<all_urls", "http://localhost/",
"http://*/*", "https://*/*", "https://query.yahooapis.com/*"
],
"content_scripts":
[{
"css": [
"css/component.css",
"css/tooltip-line.css",
"css/modal.css"
],
"js": [
"js/modernizr.custom.js",
"js/jquery-2.1.3.min.js",
"js/jquery.simpleWeather.min.js",
"js/handlebars-v4.0.5.js",
"js/moment.min.js",
"js/background.js"
],
"matches": [ "http://*/*", "https://*/*"]
}]
Also In my html file i am using this meta tag
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />
Can some one please help me to how i can solve this.
Your content-security-policy has "script-src 'self' which means scripts cannot be loaded from a third party URL.
You have specified yahoo API in the object-src directive. object-src directive (MDN) specifies valid sources for the <object>, <embed>, and <applet> elements.
To load the script from a third party, you have to specify in script-src directive like this:
"content_security_policy": "script-src https://query.yahooapis.com/ 'self'; ..."
My Chrome app has the following manifest:
{
"name": ",
"version": "1.0.3",
"manifest_version": 2,
"description": "Chrome Extension for.",
"icons": {
"16": "images/test.png",
"19": "images/test.png",
"256": "images/test.png"
},
"app": {
"background": {
"scripts": [
"background.js"
]
}
},
"sandbox": {
"js": [
"lib/test-api.js"
]
},
"permissions": [
"<all_urls>",
"notifications",
"storage",
"videoCapture"
]
}
I have a script file that runs eval. I have read about CSP and sandboxing, but I still get this error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is
not an allowed source of script in the following Content Security
Policy directive: "default-src 'self' chrome-extension-resource:".
Note that 'script-src' was not explicitly set, so 'default-src' is
used as a fallback.
Have you tried adding the CSP line to your manifest as per your CSP link?
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
What you're showing is not a Chrome extension, but a Chrome app.
Chrome extensions will let you relax the default Content Security Policy; Chrome Apps won’t. (source: CSP docs for Chrome apps; note: this page is different from CSP docs for Chrome extensions).
The next line applies to apps and extensions:
The Content security policy does not apply to a specific script, but a whole page. So, you can only declare a sandbox for a whole page (using the sandbox.pages key in the manifest file). You cannot use "js" as a key in sandbox.
In a Chrome extension, the CSP can be relaxed, e.g. allowing eval using the following policy:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
To turn your app in an extension: Do not use the apps key, but use a background key. With the following manifest, you'll be able to use eval in your background page:
{
"name": "Whatever",
"version": "1.0.3",
"manifest_version": 2,
"background": {
"scripts": [
"background.js"
]
},
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}
(omitted icons / permissions because they're not relevant for the example; omitted sandbox because it's not needed)