Chrome Extension: Would changing content_security_policy in manifest disable past users? - google-chrome-extension

I know that changing permissions will disable your existing users, thats why you can use optional permissions. However, content_security_policy adds another layer to this.
Here is my current setup:
My permissions:
"permissions": [
"storage"
],
Currently using content_scripts
"content_scripts": [ {
"all_frames": true,
"js": [
"js/helpers/BrowserStorage.js",
"js/helpers/LocalStorage.js",
"js/helpers/Device.js",
"js/frame.js"
],
"matches": [
"https://example.com/*"
],
"run_at": "document_start"
} ],
And currently using the content_security_policy
"content_security_policy": "default-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.example.com 'self'; object-src 'self'"
This has allowed my current user base to enable access to example.com, without adding example.com into permissions in the first place. Which I feel like I should have done to begin with, nonetheless, I forgot.
Questions
:
If I were to add example.com into the permissions section, would that disable current users, even though my domain is already allowed from the previous 2 sections above?
If I were to change the content_security_policy with either another domain name OR add other elements using the same domain name, would permissions be disabled on existing users?
Example:
if I were to change it to this instead, would existing users be disabled?
"content_security_policy": "default-src 'self' 'unsafe-inline' 'sha256-tempUn1btibnrWwQxEk37lMGV1Nf8FO/GXxNhLEsPdg=' 'sha256-7KQKVSgvvLBSyYII9Tvlef97RiFP4uLjKxCP55HNxC8=' https://example.com; style-src 'self' 'unsafe-inline'; frame-src https://example.com 'self'; object-src 'self'; img-src https://example.com; connect-src https://example.com"
Thanks, hopefully someone might be able to help on understanding what might trigger permissions, I hate to disable existing users, and its almost impossible to really test this.

Browser extensions are loaded on the user's device and store the application manifest and permissions there.
Changing permissions will NOT disable existing users until they update Extension.
After updating, the Extension should check existing permissions and re-ask permissions if it changed those's set.
Otherwice the Extension wil failed to operate properly ("will disable your existing users" in your words).
In case of content_security_policy key in the manifest file the situation is easier.
Past users still have an old Extension with an old manifest and old content_security_policy key value. So they will not be blocked.
After updating the Extension, users will got a new manifest with a new content_security_policy key value, so all should be OK.
PS: The answer is not based on my previous experience, but based only on how things should work.

Related

Content security policy is blocking React Google Charts how to get past it

My current content security policy section of code allows inline. The app blocks rendering of the charts during the production build. How should I add permissions for google charts I can't find anything regarding this on their page:
https://www.npmjs.com/package/react-google-charts#installation
My current code (manifest.json):
"content_security_policy": "script-src 'self' 'sha256-/8hmd4DqwVs419dLsNQ5IDmaKuXZyjZnNQcgWS+mCk4='; object-src 'self'",
Needed to add:
<script src="https://www.gstatic.com/charts/loader.js"></script>
to the header to make it work

How to set Permissions and Content Security Policy for Chrome extension

I'm trying to get my Chrome extension approved and want to understand how I should properly fill in the "permissions" and "csp" sections of the manifest.json. Those parts looks as follows:
...
"permissions": [
"storage",
"http://api.openweathermap.org/data/2.5/weather*"
],
"content_security_policy": "default-src 'self' http://api.openweathermap.org/data/2.5/weather*; script-src 'self'"
...
And that got rejected.
I'm using only:
localStorage to store info about weather;
Openweathermap API to get weather info (JSON).
I don't use any remote scripts.
So, my questions are:
Do I really need a "storage" string if I use localStorage (not a chrome.storage)?
What is a proper way to set a CSP in my case?

Whitelist multiple domains in content security policy

I am writting a chrome extension that needs to have two domains in its whitelist for the content security policy. I've looked at the official docs, but I still can't seem to figure out the proper syntax.
The following does not seem to work:
"content_security_policy": "script-src 'self' https://foo.com https://example.com; object-src 'self'"
EDIT:
Both my content script and my popup are able to reach foo.com, however, neither can reach example.com.
Are chrome extensions capable of having multiple sources whitelisted in the CSP?
From what I know about CSPs, this looks syntactically correct. The HTML5 Rocks article on CSP agrees with your syntax, saying:
script-src https://host1.com https://host2.com would correctly specify both origins as valid.
However, your problem may be that either:
This CSP disallows all subdomains, including www.foo.com and www.example.com. You can add those subdomain hostnames explicitly, or you can use https://*.foo.com to allow all subdomains.
If any of your script requests redirect to a non-permitted domain, the request will fail. For example, if https://example.com/foo.js responds with a 301 or 302 redirect to https://notpermitted.com/foo.js (not-permitted origin) or https://www.example.com/foo.js (non-permitted subdomain), the request will fail according to the spec:
Whenever the user agent fetches a URI (including when following redirects)... if the URI does not match the allowed script sources, the user agent must act as if it had received an empty HTTP 400 response...
EDIT:
Just to confirm, yes, Chrome extensions can whitelist multiple HTTPS origins. You can build a simple extension to test this:
manifest.json
{
"name":"CSP Test",
"version":"1.0",
"manifest_version":2,
"browser_action":{
"default_popup":"csp_test.html"
},
"content_security_policy": "script-src 'self' https://www.iana.org https://ajax.googleapis.com; object-src 'self'"
}
csp_test.html
<script src="https://www.iana.org/_js/2013.1/jquery.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
<script src="csp_test.js"></script>
csp_test.js
alert(jQuery)
alert(jQuery.ui)
This extension loads jQuery and jQuery UI from remote domains. If you remove either origin from the CSP, you will see an "undefined" alert signifying that one of the libraries failed to load.
I have face the same problem to whitelist the secure resources URL's with the below warning.
There were warnings when trying to install this extension:
« Ignored insecure CSP value "object-src" in directive 'script-src'.
« CSP directive 'object-src' must be specified (either explicitly, or implicitly via 'default-src') and must whitelist only secure resources.
To resolve HTTP Content-Security-Policy use below key value in manifest.json file.
{
"content_security_policy":
"script-src 'self' https://yash.test.com:8443 'unsafe-eval'; object-src 'self' https://yash.test.com:8443"
}

Firebase + Chrome content security policy settings?

I'm trying to use Firebase in a Chrome extension background page, but it looks like it's executing inline-scripts, which isn't allowed because of security concerns.
I've currently set the CSP to:
{"content_security_policy":
"script-src 'self' https://cdn.firebase.com https://<my-subdomain>.firebaseio.com; object-src 'self'"}
I'm able to load the initial Firebase script, but upon calling new Firebase('my-firebase-url'), I get the following error:
Refused to execute inline script because it violates the following
Content Security Policy directive: ". Uncaught
ReferenceError: pRTLPCB is not defined
Is there any work around or advice the Firebase team (or anyone) can give, and maybe an explanation of why scripts are being executed inline?
At the time the question was asked, there was a bug preventing Firebase from working in Chrome extensions, but this has now been fixed.
The correct CSP is:
"content_security_policy": "script-src 'self' https://cdn.firebase.com https://*.firebaseio.com; object-src 'self'"
(Note that the wildcard in the domain is important, since Firebase may connect to other subdomains internally.)
For a sample chrome extension using Firebase, see: https://github.com/firebase/firebase-chrome-extension.
I'm having a similar problem; you see, Firebase's constructor seems to perform some dom manipulation in order to do some scripting (vague, I know), which triggers Chrome CSP because well, you are not supposed to do that.
I even trying to wrap the constructor through the Sandbox Pages, but without success (I get an DOM ERR 18, even though my manifest has all permissions). Same happens if you try to do it in a Background Page or a Popup Page for a Page Action/Browser Action.
Alternative? You can inject Firebase as a content script (do it from your manifest), and through Message Passing send the callbacks as Chrome.extension.sendMessage. I'm exactly doing this at the moment, so I can tell you how that goes, so far, at least the Firebase constructor works.
Solution? James Tampling reads this and prompts the Firebase team to look up after this :)
UPDATE: Injecting Firebase.js as a Content Script doesn't work neither, but the good news is that the Firebase team (reach Andrew Lee) is checking it out.
UPDATE 2 Firebase team fixed it, and now it does work from a Popup page (both in a Browser Popup or a Page Action one). You need to add the following CSP in your manifest.json though "content_security_policy": "script-src 'self' 'unsafe-eval' https://cdn.firebase.com https://*.firebaseio.com https://*.firebaseio.com; object-src 'self'; " It works wonders after that.
I have a cordova js app, only the below one worked:
<meta http-equiv="Content-Security-Policy" content="
default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval';
script-src 'self' https://www.gstatic.com https://cdn.firebase.com https://*.firebaseio.com; object-src 'self';
" />
hope this helps.

Chrome Extension and Content Security Policy and GWT RPC

I have chrome extension in that I am trying to use GWT RPC. Cant make it work. I compile my GWT code with <add-linker name="xsiframe" /> in my module xml file. I am still getting following exceptions in js chrome console without any line numbers:
Refused to execute JavaScript URL because of Content-Security-Policy.
My manifest.json, ver.2is like this:
"permissions": [
"http://*/"
],
"content_security_policy": "default-src * 'unsafe-inline'; script-src 'self'; object- src 'self'; frame-src about:",
"web_accessible_resources": [
"js-lib/",
"js-code/",
"compiled_gwt_code_from_gwt-war/"
]
Is there a know solution for this deployment? Or what is probably wrong?
Thanks
The new CSP is bullshit. It deliberately cuts off functionality, and it doesn't allow overrides, even though developers know damn well what they're doing.
For now, revert to manifest v.1 in extension manifest.
...
manifest_version: 1,
...
The spec should probably become less communist in the future.

Resources