I know there is already stuff about that. i'm on it for several days and read and tried before posting.
1: No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API describes a relevant issue according to my problem. But I can't solve it. I'm on a chrome extension development that performs an ajax request on a dictionary web server and injects some css/html in the current page, to display a tooltip with some data related to the user selection. It works really fine with the 'MOESIF Cors' extension ON in my browser. I want it to work without this extension, with some javascript tweaks or manifest.json good parameters. I'm stuck. I had CORS violation because of the server (I've no access to the server and can't modify its response headers) Access-control-allow-origin policy. I've tried a lot of request headers combinations in my $.ajax/jquery GET-request but nothing works.
Access to XMLHttpRequest at 'https://dictionary.xxx.ie/dictionary/english/government%20' from origin 'https://en.wikipedia.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
According to the article cited above, I've tried to set 'data-type': to 'jsonp' and that replaced the cors policy violation by another violation :
Refused to load the script 'https://dictionary.xxx.ie/dictionary/english/publication?callback=jQuery3600056231503718366715_1615940095416&_=1615940095418' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
There must be a quick fix to this as the MOESIF extension works so fine : I tried all these headers : MOESIF Extension but it doesn't work. I sandboxed my script in the manifest.json after reading the docs (it seems to be more lax) but it hasn't done any better. I'm thinking of embedding a javascript proxy in my extension if such a thing is possible ! Any clue ?
thanks for reading.
Manifest.json
{
"manifest_version": 3,
"name": "Not a translator",
"version": "1.0",
"default_locale": "en",
"background": {
"service_worker": "background.js"
},
"host_permissions": [
"http://dictionary.xxx.ie/*",
"https://dictionary.xxx.ie/*"
],
"permissions": ["storage", "activeTab", "contextMenus", "scripting"],
"sandbox": {
"pages": ["chrome-extension://afeenkbblogndiamnfkocnomlppheomb/jquery.min.js"]
},
"content_security_policy": {
"sandbox":"sandbox allow-scripts; script-src-elem chrome-extension://afeenkbblogndiamnfkocnomlppheomb/jquery.min.js 'unsafe-inline' 'unsafe-eval'; child-src 'self';"
},
"content_scripts":
[{
"matches": ["http://*/*", "https://*/*"],
"css": ["tooltip.css"],
"run_at": "document_start",
"js": ["tooltip.js", "jquery.min.js"]
}],
"externally_connectable": {
"ids": ["afeenkbblogndiamnfkocnomlppheomb"],
"matches": ["https://localhost/*"],
"accepts_tls_channel_id": false
},
"action": {
"default_title": "__MSG_tooltip__",
"default_popup": "popup.htm",
"default_icon": {
"16": "/images/get_started16.png",
"32": "/images/get_started32.png",
"48": "/images/get_started48.png",
"128": "/images/get_started128.png"
}
},
"icons": {
"16": "/images/get_started16.png",
"32": "/images/get_started32.png",
"48": "/images/get_started48.png",
"128": "/images/get_started128.png"
},
"options_page": "options.htm"
a part of my jquery request from background.js (very large, can't get a runnable version) :
var url1 = "https://dictionary.xxx.ie/dictionary/english/" +
encodeURIComponent(text);
$.ajax({
method: "GET",
url: url1,
crossDomain:true,
dataType: "jsonp",
data: {}
})...
When I inspect the headers of my request I sometime get a 403 forbidden. when I put the 'jsonp' header I've got some 'provisional headers' and nothing else. I think the POST or OPTIONS method used for jsonp gets me some response headers that ban further requests. I don't know which header I can add to solve this. Jquery doesn't allow me to pass a 'Origin': 'http://localhost' for example (for vulnerability reasons).
Remove content_security_policy and sandbox from manifest.json, they won't help here.
Remove jQuery and its calls from background.js, it won't work in ManifestV3 service worker because jQuery is based on DOM things like XMLHttpRequest that aren't present in a service worker.
Solution
in the background script: use fetch .
in the content script, to make a cross-origin request: send a message to the background, which will make a fetch request and send the results back, example.
Related
I am trying to use SharedArrayBuffer by setting up a document that is cross-origin isolated. However since it is in a Google Chrome extension and I need WebAssembly, I need to run this inside a sandboxed page.
I have a sandboxed page which is defined as such in my manifest.json
{
...
"sandbox": {
"pages": ["sandbox.html"]
},
"content_security_policy": {
"sandbox": "sandbox allow-scripts; script-src 'self' 'wasm-eval'; script-src-elem 'self' 'wasm-eval' blob:; worker-src 'self' blob:"
},
"cross_origin_embedder_policy": {
"value": "require-corp"
},
"cross_origin_opener_policy": {
"value": "same-origin"
},
...
}
and I have also enabled cross-origin isolation with COOP and COEP.
The sandbox.html does nothing except use this script:
window.addEventListener('load', () => {
const thing = document.createElement('h1');
thing.innerHTML = self.crossOriginIsolated ? 'GOOD am crossOriginIso' : 'BAD am not crossOriginIso';
document.body.appendChild(thing);
});
Then I have a page outer.html which embeds sandbox.html in an iFrame.
<iframe src="sandbox.html" allow="cross-origin-isolated"></iframe>
When I open outer.html, I get the message "BAD am not crossOriginIso", ie the sandbox.html document inside the iFrame is not cross-origin isolated (and I cannot use SharedArrayBuffer).
Is there a way to enable cross-origin isolation in a Chrome extension with manifest v3 in an iFrame where the inner document is sandboxed (through manifest.json).
Perhaps more specifically, how does one add more featurePolicy.allowedFeatures() to a sandbox iFrame (which is sandboxed in the Chrome extension's manifest.json, not with the sandbox attribute).
I have noted the following things:
Opening sandbox.html directly without the iFrame, the page is cross-origin isolated.
Removing the sandbox attribute in manifest.json results in the document inside the iframe to be cross-origin isolated.
Executing document.featurePolicy.allowedFeatures() inside the iFrame gives a very small list of features (and doesn't include cross-origin-isolated). This list is a lot smaller than executing the same command when opening sandbox.html directly.
In chrome 103, manifest v3, that works well
"content_security_policy": {
"extension_pages": "default-src 'self' 'wasm-unsafe-eval';style-src 'unsafe-inline' 'self' "
},
"cross_origin_embedder_policy": {
"value": "require-corp"
},
"cross_origin_opener_policy": {
"value": "same-origin"
},
don't use sandbox to run ffmpeg.wasm, SharedArrayBuffer is not available in sandbox
When I publish Chrome extension, I get the below warning. I'm not requesting broad host permissions, just permissions on 8 specific domains:
Because of the following issue, your extension may require an in-depth
review:
- Broad host permissions Instead of requesting broad host permissions, consider using the activeTab permission, or specify the sites that
your extension needs access to. Both options are more secure than
allowing full access to an indeterminate number of sites, and they may
help minimize review times.
The activeTab permission allows access to a tab in response to an
explicit user gesture.
{
"manifest_version": 2,
"name": "My Amazing Extension",
"version": "1.3",
"description": "It's great",
"icons": {
"16": "img/icon16.png",
"32": "img/icon32.png",
"48": "img/icon48.png",
"128": "img/icon128.png"
},
"browser_action": {
"default_title": "My Amazing Extensions"
},
"background": {
"scripts": ["background.js"]
},
"content_scripts": [
{
"run_at": "document_start",
"matches": ["*://www.domain.com/*", "*://www.domain.co.uk/*", "*://www.domain.ca/*", "*://www.domain.de/*", "*://www.domain.fr/*", "*://www.domain.es/*", "*://www.domain.it/*", "*://www.domain.in/*"],
"js": ["content0.js"]
}],
"web_accessible_resources": [
"font.css",
"AZSDstyle.css",
"font.woff2",
"img/*"
],
"permissions": [
"activeTab",
"storage",
"*://www.domain.com/*",
"*://www.domain.co.uk/*",
"*://www.domain.ca/*",
"*://www.domain.de/*",
"*://www.domain.fr/*",
"*://www.domain.es/*",
"*://www.domain.it/*",
"*://www.domain.in/*"
],
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'"
}
As #wOxxOm mentions in his comment, it was likely being rejected because the detector is a bit buggy, potentially because of * in the scheme.
In my case the extension was approved within 30 mins which is unusually quick if there had been actual 'broad permissions' issues which in past experience have taken a week or more to be approved.
Replacing *:// with http:// and https:// on separate lines would likely have avoided this error in the first place.
I'm building my first chrome extension, and I'm running into a very basic problem.
My extension has a background script running all the time, that redirects the url of a webpage to a local web page if certain conditions are met.
chrome.tabs.update(e.tabId,
{url: "popup.html"});
Popup.html is loaded into the tab. This works fine, but I want to include some javascript in popup.html.
I'm able to include a popup.js file, but trying document.addEventListener doesn't work, because document is null.
Also, when I try to include jquery.js, I get
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".
I tried updating the manifest file properties to this, but it didn't seem to help:
"content_scripts": [
{
"matches": ["http://*/*", "https://*/*"],
"js": ["background.js", "jquery.min.js", "popup.js"]
}
],
"permissions": [
"tabs", "http://*/*", "https://*/*",
"webNavigation"
],
"background": {
"scripts": ["background.js", "popup.js", "jquery.min.js"]
}
I looked into this document http://developer.chrome.com/stable/extensions/contentSecurityPolicy.html but it didn't have any solution. Any ideas?
I, that error says you are running a inline script directly in a tag in your HTML document, or in a event handler like onclick="myCode();". Content Security Policy prevent you to do so.
I don't know if it's you who wrote that script, or if it is some external framework. Nevertheless, you should assure you don't have inline code in popup.html, or you should relax your Content Security Policy allowing inline scripts with 'unsafe-inline'.
Remember that when relaxing security policy, you are relaxing SECURITY, and your code is more vulnerable to attacks. Do it with debug purpose, but try to remove it from your release version.
Previously I have loaded facebook comment plugin in side my chrmoe extension with manifest version 01. Now I updated version to manifest version 02 and then I have to do couple of changers in my extension code base.
According to the new version we can not load the external js file without specifying external resources associate with "content_security_policy". Anyway this is my new manifest.json file,
{
"name": "",
"version": "1.13",
"manifest_version": 2,
"description": "",
"background": "background.html",
"icons": { "128": "fb_bug.gif" },
"content_security_policy": "script-src 'self' https://connect.facebook.net/; object-src 'self'",
"browser_action": {
"default_icon": "icon.png",
"default_popup": "plugin_content.html"
},
"permissions": [
"tabs",
"background",
"cookies"
],"web_accessible_resources": [
"css/extension.css",
"js/config.js",
"js/jquery-1.6.1.min.js"
"js/extension.js",
"images/loaderImg.gif",
"https://connect.facebook.net/en_US/all.js"
]
}
Now when I load the extension it raises a following error and facebook social plugin is not working.
"error: Code generation from strings disallowed for this context all.js:41"
Is there anyone who know solution for this matter.
sorry it took so long to reply to this.
I'm an Engineer at Facebook and tried looking at alternatives to remove the one Function() we use in the SDK, but unfortunately there is no way to reliably remove it without breaking functionality. Other seem to have the same problem and I didn't find anyone that was able to solve this issue in an efficient way.
However, according to this comment on the Chromium issue tracker (http://code.google.com/p/chromium/issues/detail?id=107538#c69), you should be able to solve this by adding a content_security_policy attribute to your manifest that whitelists 'unsafe-eval' for script-src:
{
...
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
...
}
I have a chrome extension that has a reference to the jquery file.
this is my popup html (only the head tag):
<head>
<title>My Extention</title>
<script type="text/javascript" src="http://www.MySite.com/Resources/JS/JQuery/jquery-1.7.2.min.js"></script>
<script type="text/javascript" src="MyExtensionScript.js"></script>
</head>
so in "MyExtensionScript.js" i thought i could use jquery but apparently the $ function is not defined.
This is my manifest.json file:
{
"name": "My Test Extension",
"version": "1.0",
"manifest_version": 2,
"description": "Test version of My Extension",
"browser_action": {
"default_icon": "test.ico",
"default_popup": "Test.html"
},
"permissions": [
"cookies",
"tabs",
"<all_urls>"
]
}
in version 1 of the manifest it worked, but now it doesn't. I tried to use the "web_accessible_resources" and add to them "http://www.MySite.com/Resources/JS/JQuery/jquery-1.7.2.min.js" but that didn't work also. any ideas?
also, i have a script injected to the current page and returning me a message (in my case some html source of the current page), will this behavior be affected by the transition to manifest version 2?
Thanks all :)
EDIT: I have a web application that enables cross domain scripting (using JSONP). In my extension i had a script calling a web service in my site with $.getJSON. now it doesn't work. i'm pretty sure that it has to do with the new manifest version but how can i enable again the cross domain scripting?
You need to use a jQuery file stored locally in your extension, rather than referenced from your site.
This is due to Chrome's strict Content Security Policy that only allows local scripts to be executed, with no inline code.
Web Accessible Resources are files inside your extension that may be accessed from the web, rather that resources your extension can access that are on the web. For example, if you wanted to change the background image of a page using an image stored in the extension, you have to add that image to the list in web_accessible_resouces in your manifest.
The change of manifest version should not affect your content scripts, unless they do something that is no longer allowed. You can see what else has changed from the Chrome manifestVersion docs.
I just include jquery in my content scripts. just make sure to load it before your script.
{
"manifest_version": 2,
"default_title": "Babble",
"version": "1.2",
"description": "Chat in your language with friends in their language",
"default_locale": "en",
"default_icons": {
"16": "img/icon16.png",
"48": "img/icon48.png",
"128": "img/icon128.png"
},
"content_scripts":[
{
"matches": ["http://mail.google.com/*", "https://mail.google.com/*"],
"css" : ["css/style.css"],
"js" : ["js/jquery.js" , "js/translate.js" , "js/jquery.cookie.js"]
}
]
}