Content Security Policy in Chrome App - javascript

My Chrome app has the following manifest:
{
"name": ",
"version": "1.0.3",
"manifest_version": 2,
"description": "Chrome Extension for.",
"icons": {
"16": "images/test.png",
"19": "images/test.png",
"256": "images/test.png"
},
"app": {
"background": {
"scripts": [
"background.js"
]
}
},
"sandbox": {
"js": [
"lib/test-api.js"
]
},
"permissions": [
"<all_urls>",
"notifications",
"storage",
"videoCapture"
]
}
I have a script file that runs eval. I have read about CSP and sandboxing, but I still get this error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is
not an allowed source of script in the following Content Security
Policy directive: "default-src 'self' chrome-extension-resource:".
Note that 'script-src' was not explicitly set, so 'default-src' is
used as a fallback.

Have you tried adding the CSP line to your manifest as per your CSP link?
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

What you're showing is not a Chrome extension, but a Chrome app.
Chrome extensions will let you relax the default Content Security Policy; Chrome Apps won’t. (source: CSP docs for Chrome apps; note: this page is different from CSP docs for Chrome extensions).
The next line applies to apps and extensions:
The Content security policy does not apply to a specific script, but a whole page. So, you can only declare a sandbox for a whole page (using the sandbox.pages key in the manifest file). You cannot use "js" as a key in sandbox.
In a Chrome extension, the CSP can be relaxed, e.g. allowing eval using the following policy:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
To turn your app in an extension: Do not use the apps key, but use a background key. With the following manifest, you'll be able to use eval in your background page:
{
"name": "Whatever",
"version": "1.0.3",
"manifest_version": 2,
"background": {
"scripts": [
"background.js"
]
},
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}
(omitted icons / permissions because they're not relevant for the example; omitted sandbox because it's not needed)

Related

Insecure CSP value "'unsafe-eval'" in directive 'script-src'

while trying to load a third-party js file into content scripts in chrome extension. I'm facing an unsafe-eval error
My manifest.json looks like this
{
"manifest_version": 3,
"name": "Test",
"version": "1.0",
"host_permissions": ["https://mail.google.com/"],
"content_scripts": [
{
"matches": [
"https://mail.google.com/*"
],
"js": ["3rdparty.js", "code.js"],
"run_at": "document_end"
}
]
}
after loading I'm receiving this error
Error logged: EvalError: Refused to evaluate a string as JavaScript
because 'unsafe-eval' is not an allowed source of script in the
following Content Security Policy directive: "script-src 'self'".
so, I have tried adding csp to the manifest file
{
...,
"content_security_policy": {
"extension_pages": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}
}
then I'm receiving this error in chrome telling that its unable to load the extension
'content_security_policy.extension_pages': Insecure CSP value
"'unsafe-eval'" in directive 'script-src'.
I'm afraid you cannot use 'unsafe-eval' in manifest version 3
Are you executing remote code or arbitrary strings?
You can no longer execute external logic using chrome.scripting.executeScript({code: '...'}), eval(), and new Function().
You have to move all your script into remote or local files.
You may generate scripts on a remote file (eg. php) and execute it using chrome.scripting.executeScript instead of using eval() or consider migrating back to MV2.

Error when i try to use https://apis.google.com/js/api.js in my chrome extension

I am working on a extension that will get your events on your google calendar. I followed this tutorial here. I got it working on my browser by hosting it using python, but when I load my extension into chrome it does not work. This is the error:
Refused to load the script 'https://apis.google.com/js/api.js' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
here is my manifest.json:
{
"manifest_version": 2,
"name": "Google Calendar Extension",
"description": "Gets google calendar api and displays future events.",
"version": "1.0",
"browser_action": {
"default_icon": "icon.png",
"default_popup": "index.html"
},
"Content-Security-Policy": "script-src 'self' https://apis.google.com ; object-src 'self'"
}
Any way to fix it or do I have to do it another way

Chrome extension refused to load the script for Firebase

I am trying to setup firebase database for my chrome extension. However it still refuse to load the script even after I added content_security_policy
console error
"content_security_policy":"script-src 'self' https://www.gstatic.com/ https://*.firebaseio.com https://www.googleapis.com; object-src 'self'",
<script defer src="https://www.gstatic.com/firebasejs/7.11.0/firebase-app.js"></script>
<script defer src="https://www.gstatic.com/firebasejs/7.11.0/firebase-database.js"></script>
You must specify those 2 links in your manifest file under the "content_security_policy" property like so:
"content_security_policy": "script-src 'self' https://www.gstatic.com/firebasejs/7.11.0/firebase-app.js https://www.gstatic.com/firebasejs/7.11.0/firebase-database.js https://www.googleapis.com https://*.firebaseio.com; object-src 'self'"

Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:" While fetching whether

I am using jQuery simple whether plugin to get the whether and trying to create a chrome widget.
While loading the file as a chrome extensions, I am getting error, after looking all the help provided by google and here it self, still I am not able to resolve this issue.
Below is the error for yahoo whether
> jquery-2.1.3.min.js:4 Refused to load the script
> 'https://query.yahooapis.com/v1/public/yql?format=json&rnd=2016437&diagnosti…ces(1)%20where%20text=%22New%20Delhi%22)%20and%20u=%22c%22&_=1462326587463'
> because it violates the following Content Security Policy directive:
> "script-src 'self' blob: filesystem: chrome-extension-resource:".
Another error which is for font,
> Refused to load the font
> 'data:application/octet-stream;base64,AAEAAAAPAIAAAwBwR1NVQrD+s+0AAAD8AAAAQk…GIUViwQIhYsQNkRLEmAYhRWLoIgAABBECIY1RYsQMARFlZWVmzDAIBDCq4Af+FsASNsQIARAAA'
> because it violates the following Content Security Policy directive:
> "default-src *". Note that 'font-src' was not explicitly set, so
> 'default-src' is used as a fallback.
Used manifest code are
"content_security_policy": "script-src 'self'; object-src 'self' https://query.yahooapis.com/",
"permissions": [
"tabs", "<all_urls", "http://localhost/",
"http://*/*", "https://*/*", "https://query.yahooapis.com/*"
],
"content_scripts":
[{
"css": [
"css/component.css",
"css/tooltip-line.css",
"css/modal.css"
],
"js": [
"js/modernizr.custom.js",
"js/jquery-2.1.3.min.js",
"js/jquery.simpleWeather.min.js",
"js/handlebars-v4.0.5.js",
"js/moment.min.js",
"js/background.js"
],
"matches": [ "http://*/*", "https://*/*"]
}]
Also In my html file i am using this meta tag
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />
Can some one please help me to how i can solve this.
Your content-security-policy has "script-src 'self' which means scripts cannot be loaded from a third party URL.
You have specified yahoo API in the object-src directive. object-src directive (MDN) specifies valid sources for the <object>, <embed>, and <applet> elements.
To load the script from a third party, you have to specify in script-src directive like this:
"content_security_policy": "script-src https://query.yahooapis.com/ 'self'; ..."

Use AngularJS in a Chrome extension

I want to use AngularJS in a Chrome extension but I have an error like this:
Error: SECURITY_ERR: DOM Exception 18
Error: An attempt was made to break through the security policy of the user agent.
at new listConnection
manifest.json :
{
"name": "Chrome auditor connection",
"version": "1",
"icons": { "48": "icone.png",
"128": "icone.png" },
"description": "Chrome-auditor-connection is an extension for Google Chrome browser. It ensures that nobody connects to your browser with your profile.",
"background": {
"scripts": [
"chrome_ex_oauthsimple.js",
"chrome_ex_oauth.js",
"background.js"
]
},
"browser_action": {
"default_title": "Chrome auditor connection",
"default_icon": "icone.png",
"default_popup": "index.html"
},
"permissions": [
"storage"
],
"web_accessible_resources": ["index.html"],
"sandbox": {
"pages": ["index.html","index.js","angular.min.js"]
},
"manifest_version": 2
}
index.js :
function listConnection( $scope) {
$scope.connections = JSON.parse(localStorage['connectionHistory']);
}
I think the JSON.parse() is blocked by the Chrome "Content Security Policy" (CSP).
Do you have any solution?
Your index.js is sandboxed as defined in your manifest.json file.
"A sandboxed page will not have access to extension or app APIs"
So it can't access localstorage.
Remove the sandbox or use something like https://github.com/jamesmortensen/chrome-sandbox-storageAPI for sandboxed pages.
There are two answers for you:
Add ng-csp to your <html> tag, like this <html ng-csp ng-app="AngularAppName"> . See this SO answer
Add this line to manifest.json file
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self' "
Problems in your code
These are some of problems i see so far with code shared!.
Your index.html is being used as default_popup, web_accessible_resources and in sandbox Pages . It is functionally incorrect, what is you want to develop?
Why do you want to put angular.min.js in sandbox location?
Is index.js used by index.html, if so there is no need to list it explicitly.
Storage is an object per domain, your localstorage differs from sandbox and other pages.

Categories

Resources