Firestore + Chrome extension content policy rule - google-chrome-extension

i try to use this : "content_security_policy": "script-src 'self' 'sha256-GgRxr...' https://cdn.firebase.com https://www.gstatic.com/ https://*firebaseio.com https://www.googleapis.com; object-src 'self'; connect-src 'self' wss://*firebaseio.com;",
but it does not work, i have read bunch of tutorials but all of them are about connecting Chrome Extension with Firebase only. I don't see any that are about connecting Chrome Extension with Firestore.
currently, this is a ReactJS web project, so if i load the normal website with 'yarn start' everything run perfectly. But when i use it with my extension the data document does not update to Firestore.
Sorry for my English.

You can get rid of the content_security_policy error by using the "externally_connectable" property on your manifest.json and match it against the googleapis.com domain that Firestore uses:
"externally_connectable": {
"matches": ["*://*.googleapis.com/*"]
},
This will only work as long as your request to Firestore is happening from the extension itself and not from the content.js script, unfortunately, if you try to trigger a request from a content script you'll get a CORB's error - you can find more info on this link: https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

Related

Chrome extension refuses to load script because of content security policy (trying to run babel in a chrome extension)

The react documentation points to this file as an example of using babel inline https://raw.githubusercontent.com/reactjs/reactjs.org/master/static/html/single-file-example.html
Even though it's not recommended for production, it would be helpful for me to develop faster if I could just write jsx for the time being in my chrome extension without having to compile myself. My issue is that if you try this you get an error in a chrome extension.
babel.min.js:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://unpkg.com". Either the 'unsafe-inline' keyword, a hash ('sha256-FN6NaNuBVCZD7+6eEydixs7VVD0vxTZKnwjth9yDpCC='), or a nonce ('nonce-...') is required to enable inline execution.
I've tried adding a content security policy to my chrome extension, but still get the same error: Here is my policy in my chrome extension manifest
"content_security_policy": "script-src 'self' 'unsafe-eval' https://unpkg.com; object-src 'self' 'sha256-FN6NaNuBVCZD7+6eEydixs7VVD0vxTZKnwjth9yDpCC='"
Anyone have any ideas on what I'm doing wrong?

chrome extension refuses to load Google analytics

I've followed countless stackoverflow tutorials specifying how to install Google analytics correctly for your chrome extension but nothing has seemed to work me this far.
Right now I have the Google analytics tracking code inside of my main js file:
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-XXXXXXXX-1', 'auto');
ga('set', 'checkProtocolTask', function(){});
ga('require', 'displayfeatures');
ga('send', 'pageview', '/override.html');
My content_security_policy looks like this:
"content_security_policy": "script-src 'self' https://query.yahooapis.com https://google-analytics.com; object-src 'self'"
When I run it inside of my local extension the error I get is:
Refused to load the script 'https://www.google-analytics.com/analytics.js' because it violates the following Content Security Policy directive: "script-src 'self' https://query.yahooapis.com https://google-analytics.com".
I've even tried downloading the analytics.js file and using that inside of a content_script but that didn't work either... Any ideas? I think I've looked at every stackoverflow questions there is about Google analytics inside of chrome extension and none have seemed to work...

Unit Test Code Coverage for a Chrome Extension

I have several QUnit tests running successfully for our extension.
I'd like to gather code coverage information, and thought I would use blanket.js to do so.
However, when I click the 'Enable coverage' button, I see several CSP violation messages in the JavaScript Console:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'
I've tried updating the content security policy of the extension, adding 'unsafe-inline' and 'unsafe-eval'. With the 'unsafe-inline', Chrome doesn't load the extension. And the 'unsafe-eval' option doesn't fix the problem.
Below is the snippet of CSP from my manifest.json file:
"content_security_policy": "default-src 'unsafe-inline' 'self'"
Is there a way to get blanket.js to run successfully for a Chrome extension?
If not, is there an alternative to blanket.js for Chrome extensions?
I'm currently using:
Chrome 34
blanket - v1.1.5
QUnit v1.10.0
Any help would be appreciated.
You can try changing the implementation of _addScript to:
function(data) {
(1,eval)(data);
}
And adding 'unsafe-eval' to your CSP.

Firebase + Chrome content security policy settings?

I'm trying to use Firebase in a Chrome extension background page, but it looks like it's executing inline-scripts, which isn't allowed because of security concerns.
I've currently set the CSP to:
{"content_security_policy":
"script-src 'self' https://cdn.firebase.com https://<my-subdomain>.firebaseio.com; object-src 'self'"}
I'm able to load the initial Firebase script, but upon calling new Firebase('my-firebase-url'), I get the following error:
Refused to execute inline script because it violates the following
Content Security Policy directive: ". Uncaught
ReferenceError: pRTLPCB is not defined
Is there any work around or advice the Firebase team (or anyone) can give, and maybe an explanation of why scripts are being executed inline?
At the time the question was asked, there was a bug preventing Firebase from working in Chrome extensions, but this has now been fixed.
The correct CSP is:
"content_security_policy": "script-src 'self' https://cdn.firebase.com https://*.firebaseio.com; object-src 'self'"
(Note that the wildcard in the domain is important, since Firebase may connect to other subdomains internally.)
For a sample chrome extension using Firebase, see: https://github.com/firebase/firebase-chrome-extension.
I'm having a similar problem; you see, Firebase's constructor seems to perform some dom manipulation in order to do some scripting (vague, I know), which triggers Chrome CSP because well, you are not supposed to do that.
I even trying to wrap the constructor through the Sandbox Pages, but without success (I get an DOM ERR 18, even though my manifest has all permissions). Same happens if you try to do it in a Background Page or a Popup Page for a Page Action/Browser Action.
Alternative? You can inject Firebase as a content script (do it from your manifest), and through Message Passing send the callbacks as Chrome.extension.sendMessage. I'm exactly doing this at the moment, so I can tell you how that goes, so far, at least the Firebase constructor works.
Solution? James Tampling reads this and prompts the Firebase team to look up after this :)
UPDATE: Injecting Firebase.js as a Content Script doesn't work neither, but the good news is that the Firebase team (reach Andrew Lee) is checking it out.
UPDATE 2 Firebase team fixed it, and now it does work from a Popup page (both in a Browser Popup or a Page Action one). You need to add the following CSP in your manifest.json though "content_security_policy": "script-src 'self' 'unsafe-eval' https://cdn.firebase.com https://*.firebaseio.com https://*.firebaseio.com; object-src 'self'; " It works wonders after that.
I have a cordova js app, only the below one worked:
<meta http-equiv="Content-Security-Policy" content="
default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval';
script-src 'self' https://www.gstatic.com https://cdn.firebase.com https://*.firebaseio.com; object-src 'self';
" />
hope this helps.

Chrome Extension and Content Security Policy and GWT RPC

I have chrome extension in that I am trying to use GWT RPC. Cant make it work. I compile my GWT code with <add-linker name="xsiframe" /> in my module xml file. I am still getting following exceptions in js chrome console without any line numbers:
Refused to execute JavaScript URL because of Content-Security-Policy.
My manifest.json, ver.2is like this:
"permissions": [
"http://*/"
],
"content_security_policy": "default-src * 'unsafe-inline'; script-src 'self'; object- src 'self'; frame-src about:",
"web_accessible_resources": [
"js-lib/",
"js-code/",
"compiled_gwt_code_from_gwt-war/"
]
Is there a know solution for this deployment? Or what is probably wrong?
Thanks
The new CSP is bullshit. It deliberately cuts off functionality, and it doesn't allow overrides, even though developers know damn well what they're doing.
For now, revert to manifest v.1 in extension manifest.
...
manifest_version: 1,
...
The spec should probably become less communist in the future.

Resources