I'm trying to get my Chrome extension approved and want to understand how I should properly fill in the "permissions" and "csp" sections of the manifest.json. Those parts looks as follows:
...
"permissions": [
"storage",
"http://api.openweathermap.org/data/2.5/weather*"
],
"content_security_policy": "default-src 'self' http://api.openweathermap.org/data/2.5/weather*; script-src 'self'"
...
And that got rejected.
I'm using only:
localStorage to store info about weather;
Openweathermap API to get weather info (JSON).
I don't use any remote scripts.
So, my questions are:
Do I really need a "storage" string if I use localStorage (not a chrome.storage)?
What is a proper way to set a CSP in my case?
Related
I am currently writing a browser extension that supports Manifest-v2 and v3 which requires the CashJS library (lightweight version of JQuery) for convenience. I would like my content script content/index.js to be able to use this library content/cash.min.js but I get a CSP violation stating:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-wThdlNeRf1Fp3UGuX3Ch9caqVJ8S7Wn41fdlaVxsRDE='), or a nonce ('nonce-...') is required to enable inline execution.
Here is my manifest.json (for v3):
...
"content_scripts": [{
...
"js": [
"content/cash.min.js",
"content/index.js"
]
}],
...
I have tried using content_security_policy in various ways (hashes & enabling unsafe-inline) but Chrome refuses it:
"content_security_policy": "script-src 'self' 'sha256-wThdlNeRf1Fp3UGuX3Ch9caqVJ8S7Wn41fdlaVxsRDE='; object-src 'self';"
It gives the error Invalid value for 'content_security_policy'. when attempting to load the extension. I have read this page from Mozilla as well as other posts discussing this issue but haven't found a solution that fits my needs.
This article from Chrome's documentation mentions using their sandboxing feature but it only seems to work for webpages, not the scripts themselves.
I really don't want to intercept the headers as proposed here.
Any help would be much appreciated!
I know that changing permissions will disable your existing users, thats why you can use optional permissions. However, content_security_policy adds another layer to this.
Here is my current setup:
My permissions:
"permissions": [
"storage"
],
Currently using content_scripts
"content_scripts": [ {
"all_frames": true,
"js": [
"js/helpers/BrowserStorage.js",
"js/helpers/LocalStorage.js",
"js/helpers/Device.js",
"js/frame.js"
],
"matches": [
"https://example.com/*"
],
"run_at": "document_start"
} ],
And currently using the content_security_policy
"content_security_policy": "default-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.example.com 'self'; object-src 'self'"
This has allowed my current user base to enable access to example.com, without adding example.com into permissions in the first place. Which I feel like I should have done to begin with, nonetheless, I forgot.
Questions
:
If I were to add example.com into the permissions section, would that disable current users, even though my domain is already allowed from the previous 2 sections above?
If I were to change the content_security_policy with either another domain name OR add other elements using the same domain name, would permissions be disabled on existing users?
Example:
if I were to change it to this instead, would existing users be disabled?
"content_security_policy": "default-src 'self' 'unsafe-inline' 'sha256-tempUn1btibnrWwQxEk37lMGV1Nf8FO/GXxNhLEsPdg=' 'sha256-7KQKVSgvvLBSyYII9Tvlef97RiFP4uLjKxCP55HNxC8=' https://example.com; style-src 'self' 'unsafe-inline'; frame-src https://example.com 'self'; object-src 'self'; img-src https://example.com; connect-src https://example.com"
Thanks, hopefully someone might be able to help on understanding what might trigger permissions, I hate to disable existing users, and its almost impossible to really test this.
Browser extensions are loaded on the user's device and store the application manifest and permissions there.
Changing permissions will NOT disable existing users until they update Extension.
After updating, the Extension should check existing permissions and re-ask permissions if it changed those's set.
Otherwice the Extension wil failed to operate properly ("will disable your existing users" in your words).
In case of content_security_policy key in the manifest file the situation is easier.
Past users still have an old Extension with an old manifest and old content_security_policy key value. So they will not be blocked.
After updating the Extension, users will got a new manifest with a new content_security_policy key value, so all should be OK.
PS: The answer is not based on my previous experience, but based only on how things should work.
i try to use this : "content_security_policy": "script-src 'self' 'sha256-GgRxr...' https://cdn.firebase.com https://www.gstatic.com/ https://*firebaseio.com https://www.googleapis.com; object-src 'self'; connect-src 'self' wss://*firebaseio.com;",
but it does not work, i have read bunch of tutorials but all of them are about connecting Chrome Extension with Firebase only. I don't see any that are about connecting Chrome Extension with Firestore.
currently, this is a ReactJS web project, so if i load the normal website with 'yarn start' everything run perfectly. But when i use it with my extension the data document does not update to Firestore.
Sorry for my English.
You can get rid of the content_security_policy error by using the "externally_connectable" property on your manifest.json and match it against the googleapis.com domain that Firestore uses:
"externally_connectable": {
"matches": ["*://*.googleapis.com/*"]
},
This will only work as long as your request to Firestore is happening from the extension itself and not from the content.js script, unfortunately, if you try to trigger a request from a content script you'll get a CORB's error - you can find more info on this link: https://www.chromium.org/Home/chromium-security/extension-content-script-fetches
I'm building my first chrome extension, and I'm running into a very basic problem.
My extension has a background script running all the time, that redirects the url of a webpage to a local web page if certain conditions are met.
chrome.tabs.update(e.tabId,
{url: "popup.html"});
Popup.html is loaded into the tab. This works fine, but I want to include some javascript in popup.html.
I'm able to include a popup.js file, but trying document.addEventListener doesn't work, because document is null.
Also, when I try to include jquery.js, I get
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".
I tried updating the manifest file properties to this, but it didn't seem to help:
"content_scripts": [
{
"matches": ["http://*/*", "https://*/*"],
"js": ["background.js", "jquery.min.js", "popup.js"]
}
],
"permissions": [
"tabs", "http://*/*", "https://*/*",
"webNavigation"
],
"background": {
"scripts": ["background.js", "popup.js", "jquery.min.js"]
}
I looked into this document http://developer.chrome.com/stable/extensions/contentSecurityPolicy.html but it didn't have any solution. Any ideas?
I, that error says you are running a inline script directly in a tag in your HTML document, or in a event handler like onclick="myCode();". Content Security Policy prevent you to do so.
I don't know if it's you who wrote that script, or if it is some external framework. Nevertheless, you should assure you don't have inline code in popup.html, or you should relax your Content Security Policy allowing inline scripts with 'unsafe-inline'.
Remember that when relaxing security policy, you are relaxing SECURITY, and your code is more vulnerable to attacks. Do it with debug purpose, but try to remove it from your release version.
I have chrome extension in that I am trying to use GWT RPC. Cant make it work. I compile my GWT code with <add-linker name="xsiframe" /> in my module xml file. I am still getting following exceptions in js chrome console without any line numbers:
Refused to execute JavaScript URL because of Content-Security-Policy.
My manifest.json, ver.2is like this:
"permissions": [
"http://*/"
],
"content_security_policy": "default-src * 'unsafe-inline'; script-src 'self'; object- src 'self'; frame-src about:",
"web_accessible_resources": [
"js-lib/",
"js-code/",
"compiled_gwt_code_from_gwt-war/"
]
Is there a know solution for this deployment? Or what is probably wrong?
Thanks
The new CSP is bullshit. It deliberately cuts off functionality, and it doesn't allow overrides, even though developers know damn well what they're doing.
For now, revert to manifest v.1 in extension manifest.
...
manifest_version: 1,
...
The spec should probably become less communist in the future.