I am having trouble migrating my chrome extension from MV2 to MV3. I read through the docs and still don't understand the Content Security Policy aspect of it.
I want to migrate this piece of the manifest.json file:
"content_security_policy": "script-src 'self' https://www.google-analytics.com https://cdn.firebase.com https://apis.google.com https://www.gstatic.com https://kit.fontawesome.com/; object-src 'self'"
So far I have this:
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'"
}
But what about the links
https://www.google-analytics.com https://cdn.firebase.com https://apis.google.com https://www.gstatic.com https://kit.fontawesome.com/
Related
after installing and initializing my firebaseApp, when I try to run the SingInWithPopup function, I get an error saying 'window is not defined'.
I am running the auth function in my service_worker file.
I have my content_security_policy setup like this according to the official doc
"content_security_policy": {
"extension_pages": "script-src 'self'; script-src-elem 'self' https://apis.google.com; object-src 'self';"
}
i want to use firebase in my chrome extension but I'm getting this error .
I have added content-security-policy in manifest file but I'm getting this error.
Refused to load the script 'https://www.gstatic.com/firebasejs/8.9.1/firebase-app.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
my content-security-policy in my manifest file is this
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'",
"sandbox": "sandbox allow-scripts; script-src 'self' 'https://apis.google.com/' 'https://www.gstatic.com/*' 'https://*.firebaseio.com' 'https://www.googleapis.com' 'https://ajax.googleapis.com'; object-src 'self';"
}
please help me to solve this error
In my angular project. I'm getting below mentioned error
refused to create a worker from 'blob:http://localhost:4200/d8633b89-9f70-4fd6-b08a-e369ccd34273' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://cdn.jsdelivr.net/npm/pdfjs-dist#2.5.207/es5/build/pdf.worker.js". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.
I know its related Content security policy. I have set up CSP. Here it is
default-src 'self';
script-src 'self' 'unsafe-eval' https://cdn.jsdelivr.net/npm/pdfjs-dist#2.5.207/es5/build/pdf.worker.js;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data: https://*.amazonaws.com;
media-src 'self' data: https://*.amazonaws.com;
connect-src 'self' http://localhost:* ws://localhost:*;
font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com data:;
childSrc blob
worker-src blob:
but I'm still getting error.
I believe the semicolons were missing to separate the font-src, child-src (I suppose childSrc is not correct) and worker-src
default-src 'self';
script-src 'self' 'unsafe-eval' https://cdn.jsdelivr.net/npm/pdfjs-dist#2.5.207/es5/build/pdf.worker.js;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data: https://*.amazonaws.com;
media-src 'self' data: https://*.amazonaws.com;
connect-src 'self' http://localhost:* ws://localhost:*;
font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com data:;
child-src blob:;
worker-src blob:;
My app works fine on the browser but not on the device:
The ionic app only loads the HTML and CSS but does not load the http requests and run the JS.
In Xcode it's stuck at this point:
2016-06-18 11:43:59.169 waettr[719:414729] Apache Cordova native platform version 4.1.0 is starting.
2016-06-18 11:43:59.170 waettr[719:414729] Multi-tasking -> Device: YES, App: YES
2016-06-18 11:43:59.203 waettr[719:414729] Using UIWebView
2016-06-18 11:43:59.204 waettr[719:414729] [CDVTimer][handleopenurl] 0.057995ms
2016-06-18 11:43:59.205 waettr[719:414729] [CDVTimer][intentandnavigationfilter] 1.080990ms
2016-06-18 11:43:59.205 waettr[719:414729] [CDVTimer][gesturehandler] 0.043035ms
2016-06-18 11:43:59.217 waettr[719:414729] [CDVTimer][splashscreen] 12.061000ms
2016-06-18 11:43:59.224 waettr[719:414729] [CDVTimer][statusbar] 6.388009ms
2016-06-18 11:43:59.224 waettr[719:414729] [CDVTimer][keyboard] 0.630975ms
2016-06-18 11:43:59.225 waettr[719:414729] [CDVTimer][TotalPluginStartup] 20.883977ms
2016-06-18 11:43:59.366 waettr[719:414729] Resetting plugins due to page load.
2016-06-18 11:44:01.708 waettr[719:414729] Finished load of: file:///var/containers/Bundle/Application/8365EFD8-1FAA-4E82-8DB6-2ADCD8E53A90/waettr.app/www/index.html#/home
I have the following settings:
<access origin="*" />
<allow-navigation href="https://maps.googleapis.com/*"/>
<allow-navigation href="http://api.openweathermap.org/*"/>
This Tag:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' maps.googleapis.com 'unsafe-inline' 'unsafe-eval'">
What's my mistake? I'm getting headaches from this...
If you are making Ajax calls to:
<allow-navigation href="https://maps.googleapis.com/*"/>
<allow-navigation href="http://api.openweathermap.org/*"/>
which I guess is why you have those in your config.xml, then I recommend that you update your Content Security Policy meta tab to include a connect-src declaration. This defines where you can make Ajax calls to.
Try setting the following Content Security Policy:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' maps.googleapis.com 'unsafe-inline' 'unsafe-eval'; connect-src https://maps.googleapis.com http://api.openweathermap.org">
Here I added connect-src and the URLs that I think you are trying to make Ajax requests to. If you'd like more information on this, here's a relevant blog post.
I have a problem with the Android 5.0 Lollipop and Google Maps Api, i have an CSP Error of unsafe-eval.
Here is the Error:
https://maps.googleapis.com/maps-api-v3/api/js/22/7/intl/es_ALL/main.js:65
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src * 'unsafe-inline'".
The Code:
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'">
Inside my config.xml i have this:
<plugin name="cordova-plugin-whitelist" version="1" />
<access origin="*" />
I have no problems with Android 4.x but just only with 5.x, i know it's because of the Chromium Webview but i can't use the Google Maps because of this error.
What can i do to fix this ?
Thanks !
Try refactoring your Content-Security-Policy meta tag a little, I have the following working in a Cordova 5 / Android 5 app that uses Google Maps (; positions are different from yours:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">