If I have the following script-src directive:
script-src: https://example.com/scripts/file.js;
Is it possible for any of the following scripts to be loaded?
https://example.com/file.js
https://example.com/assets/file.js
https://example.com/scripts/different-file.js
Does this apply to all browsers and CSP v2 / CSP v3?
According to the specifications for CSP v2 and CSP v3, this can be used in both v2 and v3. I would expect browsers to support it as major browsers have supported v2 for years. None of the example scripts should be loaded with the given CSP.
Related
I am writing my first ever chrome extension where I need to load the Facebook page plugins SDK on my popup.html for me to display the timeline feed. However, the SDK failed to load citing CSP issues.
Refused to load the script 'https://connect.facebook.net/en_GB/sdk.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Upon doing some research, I found this guide for manifest v3 (I am using the same version) but it's confusing for me on how I could write the policy to allow the script above.
There are no examples online for the v3 (plenty of them are available for v2.
Any help would really be appreciated.
Thank you :)
Firefox WebExtensions require the applications key in extension's manifests.
Chrome's extensions do not appear to support the applications key and Chrome throws an error when the key is present, unlike Firefox which simply ignores unsupported keys.
Is there a way around this error that does not require the use of two different manifests for each browser?
Chrome gives this error when the applications key appears in the manifest:
Unrecognized manifest key 'applications'.
Maybe not directly answer the question, but according to a blog from Microsoft Microsoft Edge extensions now available to preview,
In keeping with our commitment to an interoperable web, we’re participating in the W3C Browser Extension Community Group’s efforts to define standardized extension APIs based on familiar web technologies.
So maybe we can look forward to the future.
We are adding a Content Security Policy on our websites to prevent outside sources from using IFrames other than our own.
We are using .NET and have the following in our web.config to do this.
<add name="Content-Security-Policy" value="frame-ancestors 'self' http://*.ourwebsite1.com http://*.ourwebsite2.com http://*.ourwebsite3.com https://*.ourwebsite1.com https://*.ourwebsite2.com https://*.ourwebsite3.com" />
It works fine in IE and Chrome, but in Firefox (latest version), we are getting an error saying it was blocked by Content Security Policy. I know it is only supported on Firefox 23+, but we are all using latest version.
Any ideas?
I'm building a project (like a website) with chrome extension, the js framework is backbone.js
The render view using template of backbone is very nice that help me easy to display data content. Everything work fine in normal project but not in chorme extension (it alway show the 'Content Security Policy' error message).
How can I deal with this problem? Or you can suggest me another framework that easy to build chrome extension.
Thanks so much.
Either change your copy of backbone.js to comply with applicable CSP, or change the extension's CSP.
I resolved my problem.
I added: "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
to my manifest file and it work fine.
It's not recommended by Google Chrome but it's ok for me.
Thanks.
I have a popular Chrome extension that is being targeted by a specific site and they are messing with our extensions functionality and telling visitors to uninstall our extension. They are detecting we are running in the browser by checking for our manifest file via looking for the URL chrome-extension://our-app-id/manifest.json. Is there anyway I can prevent this?
I tried using content-security-policy but that seems to only help with cross-scripting. If not seems like a security hole on google's part; I don't want sites knowing what extensions I am running in my browser.
Manifest version 2 that is tentatively scheduled for version 18 should fix this.
[...] today, all the resources inside your extension (e.g., images)
are visible to web pages. We're changing the default to "not visible"
and then adding a manifest attribute to let you whitelist the
resources that you want to be accessible to web pages.