With CSP required by Google Chrome Apps, is there any official guidance from Google about the domains that should be added to the CSP for a Chrome App?
http://developer.chrome.com/extensions/contentSecurityPolicy.html
What seemed to work for me
script-src 'self' https://checkout.google.com https://www.google.com
Related
We have a published app in the Teams App Store.
And now we're working on the update which is going to let people open their on-premises sites in the teams task window.
To achieve that we're using AAD, Enterprise application, Application Proxy and assigned users who can access the portal. We didn't add single sign-on to it.
Everything is working fine in mobile apps and in the browser app, but not working in Desktop Application.
In Desktop application we have this error:
Refused to display 'https://login.microsoftonline.com/' in a frame because it set 'X-Frame-Options' to 'deny'.
How can we fix this? Thanks in advance.
The website that you use must be iFramable.
Whatever you are trying to display in tab or task module that needs to be in valid domains of Manifest
Ensure that you adhere to the following prerequisites
Allow your tab pages to be discovered in an iFrame, using X-Frame-Options and Content-Security-Policy HTTP response headers.
Set header: Content-Security-Policy: frame-ancestors teams.microsoft.com *.teams.microsoft.com *.skype.com
For Internet Explorer 11 compatibility, set
X-Content-Security-Policy.
Alternately, set header X-Frame-Options: ALLOW-FROM
https://teams.microsoft.com/. This header is deprecated but still
accepted by most browsers
Reference Doc: https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/tab-requirements.
Safari now can use web extensions.
But browser.identity or chrome.identity is not supported. So launchWebAuthFlow is not working.
In the docs they just say.
identity Not supported. Initiate an OAuth flow in a new tab.
How can I do it? Is there any example?
When setting up the Google OAuth consent screen for a new project (a chrome extension), what exactly should be put in the Authorized Domains field? If my extension can pop up on any website, then is there any way for me to fill this out so I can log in to the extension?
This should help: https://firebase.google.com/docs/auth/web/google-signin#authenticate_with_firebase_in_a_chrome_extension
You basically need to introduce chrome-extension://CHROME_EXTENSION_ID in the Authorized domains field
I've searched the Web Bluetooth docs and the chrome.bluetooth docs but it seems like they only mention Chrome Apps being able to access the API, it doesn't say anything about extensions.
I'm building a Chrome extension and using $.ajax (jsonp) to pull article titles and urls from a json array on a wordpress site.
If I GET from a https site, it works fine, however if I GET from a http site I get the following error.
Refused to load the script because it violates the following Content Security Policy directive: "script-src 'self'
Unfortunately it's not possible in this instance to use HTTPS on this particular site, so how do I allow a none http site in my Content Security Policy in my manifest.json or is it strictly https only?
According to developer.chrome.com/extensions/contentSecurityPolicy, only HTTPS sites can be added to the CSP, not HTTP.
But you should not be doing JSONP from a Chrome extension, period. Can't do HTTP Request with my Chrome Extension