I am writing my first ever chrome extension where I need to load the Facebook page plugins SDK on my popup.html for me to display the timeline feed. However, the SDK failed to load citing CSP issues.
Refused to load the script 'https://connect.facebook.net/en_GB/sdk.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Upon doing some research, I found this guide for manifest v3 (I am using the same version) but it's confusing for me on how I could write the policy to allow the script above.
There are no examples online for the v3 (plenty of them are available for v2.
Any help would really be appreciated.
Thank you :)
Related
If I have the following script-src directive:
script-src: https://example.com/scripts/file.js;
Is it possible for any of the following scripts to be loaded?
https://example.com/file.js
https://example.com/assets/file.js
https://example.com/scripts/different-file.js
Does this apply to all browsers and CSP v2 / CSP v3?
According to the specifications for CSP v2 and CSP v3, this can be used in both v2 and v3. I would expect browsers to support it as major browsers have supported v2 for years. None of the example scripts should be loaded with the given CSP.
In my scenario, I have a Chrome extension that is self hosted, and would like to specify the update_url outside of the extensions for flexibility.
Is there a way to specify the update URL outside of the manifest, or even outside of the extension (for example, in the registry, or chrome storage area)?
You can't.
According to documentation, you have to provide an update URl on the manifest, and that manifest can't be altered in runtime for security reasons.
What you can do is provide an update url that and change de target XML as you need on your server. It can also be a redirect link, for example.
I'm working with Firefox and I'm getting a lot of 'Content Security Policy' warnings in the the console,
including :
Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").
and
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
I'm getting these warnings on every website, or almost every website, for example, I get a lot of warnings when I go to Gmail, and less here at StackOverflow,where some website show less, and some show more.
I have recently started working with webpack and some more nodejs tools, can this be the source of these warnings?
what can I do to prevent it?
is it a security issue?
thank you!:)
If I understand your question correctly, It appears you're approaching this as a user rather than as a developer.
From the user point of view:
what can I do to prevent it?
nothing, nor should you.
is it a security issue?
No. Quite the opposite, it is security at work protecting your browsing experience.
From the website developer point of view:
what can I do to prevent it?
Read up on the CSP rules put in place for your website(s) and adjust these rules as required to only allow what you need to alow for your website to work. This is a very broad topic.
I found the lack of clarification as to what assets are blocked and why, a major flaw with the Firefox console (V66) in that it didn't give enough specifity as to what CSP rules were crossed and what site assets were blocked. I found using Google Chrome console gave me this information and helped me to clarify my CSP to allow what needed to be allowed.
is it a security issue?
Not directly. This is security at work protecting the website visitor's browsing experience. Once the CSP is set up to allow the authorised parts of your website to work, the other parts that will be flagged by the CSP mechanism can be ignored (as insecure/unsafe things that should be aborted).
Firefox WebExtensions require the applications key in extension's manifests.
Chrome's extensions do not appear to support the applications key and Chrome throws an error when the key is present, unlike Firefox which simply ignores unsupported keys.
Is there a way around this error that does not require the use of two different manifests for each browser?
Chrome gives this error when the applications key appears in the manifest:
Unrecognized manifest key 'applications'.
Maybe not directly answer the question, but according to a blog from Microsoft Microsoft Edge extensions now available to preview,
In keeping with our commitment to an interoperable web, we’re participating in the W3C Browser Extension Community Group’s efforts to define standardized extension APIs based on familiar web technologies.
So maybe we can look forward to the future.
I'm building a project (like a website) with chrome extension, the js framework is backbone.js
The render view using template of backbone is very nice that help me easy to display data content. Everything work fine in normal project but not in chorme extension (it alway show the 'Content Security Policy' error message).
How can I deal with this problem? Or you can suggest me another framework that easy to build chrome extension.
Thanks so much.
Either change your copy of backbone.js to comply with applicable CSP, or change the extension's CSP.
I resolved my problem.
I added: "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
to my manifest file and it work fine.
It's not recommended by Google Chrome but it's ok for me.
Thanks.