This line in manifest 3
"content_security_policy": {
"extension_pages": "script-src 'self'; script-src-elem 'self' https://apis.google.com; object-src 'self';"
},
Gives me error
Refused to load the script 'https://apis.google.com/js/api.js?onload=__iframefcb41660' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I'm using google api for authentication with firebase. In manifest v2 all was fine.
You cannot use external scripts in manifest V3, everything should be inside the extension.
Try using a fetch() if it's an API endpoint.
Related
I've been attempting to follow this guide to integrate Google Sign-In within my chrome extension, but I kept getting an error saying that,
Refused to load the script 'https://www.gstatic.com/firebasejs/8.0/firebase.js' because it violates the following Content Security Policy directive: "script-src 'self'```."
I then tried to include,
"content_security_policy": {
"extension_pages": "script-src 'self' https://apis.google.com; script-src 'self' https://www.gstatic.com; script-src 'self' https://www.googleapis.com; script-src 'self' https://securetoken.googleapis.com;"
}
in my manifest as stated in the aforementioned guide, but then I got the error,
'content_security_policy.extension_pages': Insecure CSP value "https://apis.google.com" in directive 'script-src'.
Could not load manifest.
I then removed the content security policy and tried to include the firebase.js file in my extension directly, but then now I get an error saying,
Refused to load the script 'https://apis.google.com/js/api.js?onload=__iframefcb944385' because it violates the following Content Security Policy directive: "script-src 'self'".
I don't think I'm doing the content security policy incorrectly, so my question is if it's still possible to integrate Google Sign-In within a Chrome Extension. My guess would be no and that it's related to how Manifest V3 will not execute remote code anymore, but I just wanted to double check to make sure that I wasn't doing anything wrong.
I'm creating a web extension and I need to use google recaptcha in it. But when I try to import the library I get an error
Refused to load the script 'https://www.google.com/recaptcha/api.js?onload=onloadcallback&render=explicit' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I tried to set my script src to authorize request to https://www.google.com
"content_security_policy": {
"extension_pages": "script-src 'self' 'https://www.google.com'; object-src 'self'"
},
but I got an error
'content_security_policy.extension_pages': Insecure CSP value "'https://www.google.com'" in directive 'script-src'.
It is still possible to use external script with manifest v3, and if yes what should I do ?
Blob images aren't showing via JavaScript because of the Content Security Policy in Waterfox 56:
Content Security Policy: The page’s settings blocked the loading of a
resource at blob:http://localhost/1e511fde-fb52-41fc-b7db-6b8b6cf64171
(“img-src http://localhost data:”).
My image CSP:
img-src \'self\' data:;
Self-answered, see below.
Adding blob: resolves the issue, only use a space for the array delimiter (and semi-colons for the key/value pair delimiters):
Before:
img-src \'self\' data:;
After:
img-src \'self\' blob: data:;
I have just applied a Content Security Policy to my Azure Web App in my development environment and it is working fine.
I can also upload it to my staging site on Azure and it runs fine there and the policy is correctly applied and then enforced by my browser. However, when I do a swap, I get the following error:
Cannot swap slots for site 'MySite' because the worker process in
'staging' slot aborted the warmup request. This may happen if site has
IP Restriction or URL rewrite rules that block HTTP requests.
Here is the policy that I am applying (as defined in my web.config)
<add name="Content-Security-Policy"
value="default-src 'none';
script-src 'self' https: 'unsafe-inline' 'unsafe-eval';
style-src 'self' https: 'unsafe-inline';
img-src 'self' https: 'unsafe-inline' data: blob:;
connect-src 'self' https:;
font-src 'self' https:;
object-src 'none';
media-src 'self';
child-src 'self';
form-action 'self';
frame-ancestors 'none'"/>
What is the problem?
Azure doesn't like the carriage returns in the Content-Security-Policy value in the web.config.
If you examine the web.config using the App Service Editor (that is available through the Azure Portal) then you will see the carriage returns have been encoded and turned into
Creating the following invalid CSP which is why the swap is breaking:
default-src 'none';
script-src 'self' https:
'unsafe-inline' 'unsafe-eval';
style-src 'self' https:
'unsafe-inline';
img-src 'self' https: 'unsafe-inline'
data: blob:;
connect-src 'self' https:;
font-src 'self' https:;
object-src 'none';
media-src 'self';
child-src 'self';
form-action 'self';
frame-ancestors 'none'
In short, we need to enter our CSPs all on one line which reduces the readability but is required for Azure to swap.
Chrome is giving me the following error:
Refused to load the script 'http://domain.com/myexternalscript.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'"
Currently, in my manifest my Content Security Policy is as follows:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
How do I alter my security policy so that it can allow the script to run?
On a normal page, you could use
script-src 'self' 'unsafe-eval' domain.com; ...
but extensions only allow external scripts over HTTPS. You'll need to use
script-src 'self' 'unsafe-eval' https://domain.com;
and serve your script over HTTPS.
You must whitelist each external domain you want to use. You can use wildcards to match any subdomain: https://*.domain.com.
See Google's extension documentation on relaxing the default CSP for more information. See also MDN's page Using Content Security Policy.