Google Chrome Extension Manifest v3 does not allow external scripts & inline scripts:
In Manifest V3, all of your extension's logic must be included in the extension. You can no longer load and execute a remotely hosted file.
― source
This is my content_security_policy in manifest.json:
"content_security_policy": {
"extension_pages": "default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; script-src-elem 'self' 'unsafe-inline';",
"sandbox": "sandbox"
}
I've been trying to use the Google Drive Picker API inside of a Google Chrome extension, but somehow fail to do so.
The library requires these two scripts:
<script async defer src="https://apis.google.com/js/api.js" onload="onApiLoad()"></script>
<script async defer src="https://accounts.google.com/gsi/client" onload="gisLoaded()"></script>
Which I have downloaded locally inside the extension:
<script async defer src="./lib/apis.google.com/js/api.js"></script>
<script async defer src="./lib/accounts.google.com/gsi/client.js"></script>
window.addEventListener('load', () => gapiLoaded())
But then these two scripts at their turn install other external scripts which is not allowed in Manifest v3:
Error 1
Error 2
I tried both in a popup and in a tab created with:
chrome.tabs.create({url: chrome.runtime.getURL('setup.html')})
Both give the same error
How can I use the Google Drive Picker API inside of a Google Chrome extension?
Thank you
You need to declare https://apis.google.com/js/api.js and
https://accounts.google.com/ in content_security_policy
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'",
"sandbox": "sandbox allow-scripts; script-src 'self' 'https://apis.google.com/' 'https://accounts.google.com/' 'https://www.googleapis.com' 'https://ajax.googleapis.com'; object-src 'self'"
},
Related
I am trying to add Google Analytics / Google Tag Manager into my Chrome Extension. I got the following snippet:
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=X-XXXXXXXXX"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'X-XXXXXXXXX);
</script>
When I add this snippet into a random HTML (not Chrome Extension) I see two request in DevTools:
https://www.googletagmanager.com/gtag/js?...
https://www.google-analytics.com/g/collect?
This is correct, this works. I see logs in the Google Dashboard.
But when I add the same snippet in the popup.html of my Chrome Extension, open DevTools and refresh the page I only see the first request in DevTools. No warnings, no errors and no Logs in the Google Dashboard.
Manifest V3
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'; script-src-elem https://ssl.google-analytics.com chrome-extension://* 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com"
},
Any idea why there is only the first request in the Chrome Extension?
I have a Chrome Extension that when clicked inserts a video on the page:
<video width="320" height="240" controls>
<source src="https://example.com/video.mp4" type="video/mp4">
</video>
When using the extension on Twitter.com, the video doesn't load on the page and in the console I see this error:
Refused to load media from 'https://example.com/video.mp4' because it violates the following Content Security Policy directive: "media-src 'self' blob:
In Manifest.json (version3) I've tried several versions of the below but nothing works. Does anyone know how to resolve this error so that the video can load? Any and all help is much appreciated - thanks.
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'; media-src * blob: https://example.com/*"
},
instead of:
"extension_pages": "script-src 'self'; object-src 'self'; media-src * blob: https://example.com/*"
try:
"extension_pages": "script-src 'self'; object-src 'self'; media-src example.com"
Unfortunately you can't insert a <video> tag into page protected by CSP. Twitter has a CSP with:
media-src 'self' blob: https://*.vine.co https://*.giphy.com
https://media.riffsy.com https://*.twimg.com https://twitter.com
https://dhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net
https://mmdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net
https://pdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net
https://*.pscp.tv https://*.video.pscp.tv;
and as you can see it's a twitter's CSP blocks you extension's work:
Refused to load media from 'https://example.com/video.mp4' because it
violates the following Content Security Policy directive: "media-src 'self' blob: ...
Because your extension's CSP is media-src * blob: https://example.com/*" - these are not the rules that you see blocked in the console.
As #granty mentioned there's no direct solution given Twitter prohibitive CSP.
A workaround however is to insert an iframe on the page and insert insert the video in the iframe. Hope this helps anyone else looking for a solution!
I am attempting to load an avatar image in a React app that is being served up from a NodeJS/Express backend.
I have my content-security policy set as:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self' s.gravatar.com; style-src 'self'; connect-src 'self'; ">
To be able to access the gravatar image.
However, when I run the React app in production mode, I get the following error in the console:
Refused to load the image 'https://s.gravatar.com/avatar/a57b7e3be28e9bf9b245a409b4666ee3?s=200&r=pg&d=mm' because it violates the following Content Security Policy directive: "img-src 'self' data:".
Doing a View Source on the page clearly shows that I the img-src policy is correctly set:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self' s.gravatar.com; style-src 'self'; connect-src 'self'; ">
I have tried this in both Chrome and Firefox and I received the same issue where the image is getting blocked.
Please let me know what I may be doing wrong.
I realized my mistake! I was using helmet in my NodeJS backend which was overriding the CSP specified on the front-end side.
I did not think it would have an effect on the front-end but seems like it takes precedence.
Hopefully that saves someone else some time in their investigation.
The react documentation points to this file as an example of using babel inline https://raw.githubusercontent.com/reactjs/reactjs.org/master/static/html/single-file-example.html
Even though it's not recommended for production, it would be helpful for me to develop faster if I could just write jsx for the time being in my chrome extension without having to compile myself. My issue is that if you try this you get an error in a chrome extension.
babel.min.js:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://unpkg.com". Either the 'unsafe-inline' keyword, a hash ('sha256-FN6NaNuBVCZD7+6eEydixs7VVD0vxTZKnwjth9yDpCC='), or a nonce ('nonce-...') is required to enable inline execution.
I've tried adding a content security policy to my chrome extension, but still get the same error: Here is my policy in my chrome extension manifest
"content_security_policy": "script-src 'self' 'unsafe-eval' https://unpkg.com; object-src 'self' 'sha256-FN6NaNuBVCZD7+6eEydixs7VVD0vxTZKnwjth9yDpCC='"
Anyone have any ideas on what I'm doing wrong?
As part of new security requirement from the client I have added "Content Security Policy" in my Liferay application:
response.setHeader(
"Content-Security-Policy",
"default-src 'none'; script-src 'unsafe-inline' *.googleapis.com; style-src 'self' *.googleapis.com;font-src 'self' *.gstatic.com;connect-src ; img-src 'self' data:;base-uri 'none';frame-ancestors 'none';");
But I am getting below error
Refused to load the script 'http://localhost:8080/o/js_loader_modules?t=1536146336645' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' *.googleapis.com".
Local server up and running localhost:8080. How to solve this?
It looks like CSP blocks your own script from loading and only allows inline <script> tags from googleapis.com. You should try adding 'self' to your CSP rules, because it means you can use scripts from your own domain.
script-src 'self' 'unsafe-inline' *.googleapis.com;