Refused to execute inline script - google-chrome-extension

Chrome extension refused to execute inline script.
Based on past research, I have seen that you have to make a connection between the HTML and you javascript file, done that still not worked.
popup.html-
<html>
<body>
<button type="button" id="fill">Fill</button><br>
<script src="popup.js"></script>
<body>
</html>
popup.js-
document.getElementById("fill") = Fill;
function Fill(){
document.getElementById("first_name").value = "somefirstname";
}
Full error message- Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-8AeKgC4PZyj0Lyp/7zt8lB898NYpYADMsfcJvqOwoDs='), or a nonce ('nonce-...') is required to enable inline execution.

Related

problem in Content Security Policy for external scripts

i want access to this scripts:
<script src="https://js.stripe.com/v3/"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/axios/0.21.1/axios.min.js"></script>
<script src="https://api.mapbox.com/mapbox-gl-js/v2.1.1/mapbox-gl.js"> </script>
and this stylesheet:
<link rel="stylesheet" href="https://api.mapbox.com/mapbox-gl-js/v2.1.1/mapbox-gl.css">
but i have some kind errors like this:
Refused to load the script 'https://js.stripe.com/v3/' because it violates the following Content Security Policy directive: "script-src https://cdnjs.cloudflare.com https://api.mapbox.com 'self' blob:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
i use meta tag to access all websites with all assets, but doesn't work:
<meta http-equiv="Content-Security-Policy" content="default-src https:">
when I changed the version of my axios it worked for me on that version it is not working. so go to src of your axios file and change it to another version.

Content Security Policy meta tag within sandboxed iframe not working in Safari (14.0.2)

I'm trying to embed a page whose Content Security Policy does not seem to be respected in Safari, but does works in Chrome, Firefox, Edge, Brave. The embed looks like this:
<iframe src="https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/" sandbox="allow-scripts" />
The embedded page looks like this, and contains a CSP meta tag:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
<title>test</title>
<meta charset="utf-8">
</head>
<body>
<script src="test.js"></script>
</body>
</html>
The CSP should dictate that the page can load resources from its own origin, as well as inline scripts. However, when I try to load the iframe in Safari, I get an error claiming the path to the script does not match the default-src directive:
Refused to load https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/test.js because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
The response headers for the embedded page look like this:
headers
Here is a simple jsfiddle demostrating the issue: https://jsfiddle.net/4hLdygm9/1/
Thanks in advance!
UPDATE:
Have open an issue on the Webkit Bugzilla and has been confirmed to be a bug:
https://bugs.webkit.org/show_bug.cgi?id=223848

Content-Security-Policy for local resources

I am trying to deploy a web application in my local using apache tomcat as a container.
I got a simple page with following in head section:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
<link rel="stylesheet" href="pure-min.css">
<link rel="stylesheet" href="styles.css">
<script src="app.js"></script>
and when I try to open the page on safari 14 I got error
Refused to load http://localhost:8080/webapp/app.js because it does not appear in the script-src directive of the Content Security Policy.
I have read documentation here and it looks like 'self' would be enough to load my own resources (for both css and javascript). What am I doing wrong ?
thanks
It can be 2 issues:
The 'self' token does not cover localhost:8080 (with port number) in Safari. But in this case you should have additionally a 2 CSS blocked, not js only.To fix just add localhost:8080 to the default-src directive.
Your Apache Tomcat server publish a default CSP via HTTP header. In this case you can't mitigate CSP using the meta tag and have to modify CSP response HTTP header.
Check do you have a CSP HTTP header published, tutorial is here.
Is this error observed in Safari browser only? What about Chrome/Firefox?

CSP for embedding youtube video

I've just started seeing this with my embedded youtube videos on Chrome (86.0.4240.193 - recently updated which is probably why I'm just seeing this) - these are 'reports' only, so the videos still show but 100s of errors can't be right! This is what I'm seeing:
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'strict-dynamic' 'unsafe-inline' https: 'report-sample' 'nonce-t9IE7nI2leo7qKxsm7d80g=='".
Here's my iFrame --
<iframe id="video-iframe" width="500" height="281" src="https://www.youtube.com/embed/HIDDENVIDEO" frameborder="0" allowfullscreen ></iframe>
I cannot figure out what the CSP should be -- here's one that I found that apparently solved their problem --
<iframe id="video-iframe" width="500" height="281" src="https://www.youtube.com/embed/HIDDENVIDEO" frameborder="0" allowfullscreen csp="script-src 'self' https://www.google-analytics.com/ https://www.youtube.com/ https://s.ytimg.com/; object-src 'self'; child-src https://www.youtube.com/* https://s.ytimg.com/"></iframe>
Not so much -- I just see: Refused to display....
Any help much appreciated.
I just checked the developers.google.com/youtube/iframe_api_reference#Examples page and I'm seeing the same thing -- surely this shouldn't be happening, right?
As you can see, this error is triggered not your CPS - your's do not have 'nonce-t9IE7nI2leo7qKxsm7d80g=='" token. This error appears within Google's <iframe> and it's totally Google's internal deal.
The fact is that several previous versions of Chrome had a bug and did not block eval expressions.
In version 86 Chrome, they fixed this bug, and to verify this, they set the Report-Only header and made a fake call to eval to see reports.
CSP for Youtube is very simple and does not require 'unsafe-eval', because all works within isolated iframe:
frame-src youtube.com www.youtube.com; is enough to allow for Youtube in iframe.
By the way, your CSP has an error - the * is not allowed in path-part. And be careful with <iframe csp= - if server does not agree with your CSP, content will be blocked.
But this <iframe csp= played the role because of once more Chrome bug - it ignores Content-Security-Policy-Report-Only if Content-Security-Policy header presence.
I was able to get my embedded videos working using a meta tag in the <head>
<meta http-equiv="Content-Security-Policy"
content="default-src 'self'; img-src https://*; child-src 'none'; frame-src youtube.com https://www.youtube.com;">
add the https:// to www.youtube.com

content_security_policy not taking effect in Chrome Extension

The Zemanta Chrome Extension fails to load with the following error message
loader.js:13 Refused to load the script 'https://static.zemanta.com/widgets/blogger.com/merged-blogger.js?v=1451290656'
because it violates the following Content Security Policy directive:
"script-src 'self' *.google.com *.google-analytics.com 'unsafe-inline'
'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com
*.googleapis.com uds.googleusercontent.com https://s.ytimg.com
www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleusercontent.com
www-blogger-opensocial.googleusercontent.com *.blogspot.com https://www.blogblog.com".
I have changed the content_securiy_policy line to the following, and reload the extension
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com https://*.zemanta.com; object-src 'self'"
Why is it that "https://*.zemanta.com" is not listed in the CSP directive in the error message above, and how can I make sure it is in the CSP?
It looks like an error thrown by a webpage with its own CSP, not inside your extension. So the CSP you set there has no effect.
It probably happens as a result of a content script trying to insert <script src="..."> into the page. That's subject to the page's CSP and can fail.
You can try to bypass the page's CSP by loading the script with XHR and inserting a <script> tag with the code included instead of src link. Note that this may fail at a later stage, since while the script will be executed this way, it will be subject to CSP in its own actions (so if it, say, tries to add a <script> tag as well, it will fail).
Alternatively, you could use webRequest API to intercept and modify the CSP header. That's risky since you're loosening the page's security in general.

Resources