I'm creating a Chrome Extension which modifies a script served by the server (which I have no control over) to add new functionality to the website, and I had the following idea:
Block the original script via WebRequest, webRequestBlocking.
Send the url of the blocked script to a script injected into the page.
GET this url from the page's script.
Edit a part of the code (string).
Eval the string.
(Another working way is to redirect it to a local modified script return { redirectUrl: chrome.extension.getURL("modified.js") };, inside the Chrome Extension folder, but then it's impossible to modify it on the fly, that's why I want to eval a modified script)
When I try to eval the string in the 5th step, it says: ...'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-DFX4zDtBDF32343LjE2DFKMs' 'self' https://website.com".
I've tried to use webRequest.onHeadersReceived to see if I could alter CSP headers (as some answers suggested: Edit Content Security Policy in onHeadersReceived), but there is no "content-security-policy" header.
I can see a Content Security Policy meta tag (I've omitted everything except 'script-src'):
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-DFX4zDtBDF32343LjE2DFKMs' 'self' https://website.com; base-uri 'none';">
From this answer (https://stackoverflow.com/a/27324485/10364842), Chrome Extensions cannot override CSP of Web pages. But someone replies: I know this is incredibly old, but I came across it while trying to inject Artoo.js into a page. The chrome extension does indeed allow you to modify the page you're looking at and let any content through.
Eval works in the content script, but I need to execute the script in the page's context, because it depends on the global scope.
I'm wondering if it's possible to alter CSP of a Web page through a Chrome Extension, or if there is any other way to accomplish this solely via a Chrome extension?
"Extensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load and resources, and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this.
You can use the "content_security_policy" manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of CSP syntax." https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy
Related
I am working on a twitch extension and I have created an API externally for the app to connect to. I've had this error now for roughly two days and I can't seem to find a solution to it.
Refused to connect to 'https://community.shadowmont.com/oauth/GetUserProfileDetails' because it violates the following Content Security Policy directive: "connect-src 'self' https://lgqt8zmxwk4v3ubxobrmy8r2f49uc1.ext-twitch.tv https://api.twitch.tv wss://pubsub-edge.twitch.tv https://www.google-analytics.com https://stats.g.doubleclick.net".
The front end is JavaScript / HTML and it's trying to connect to an MVC5 API. I've Googled around for the answer and most posts say to add a meta-tag to the header, but no matter what I try, this does not solve the issue. I'm at a point now where I am not sure what to do.
One of the posts I found told me to add
<meta http-equiv="Content-Security-Policy" content="img-src 'self' data:; default-src 'self' http://XX.XX.XX.XX:8084/mypp/">
But this didn't work.
You need to add any External Domains you connect to in the "Allowlist for URL Fetching Domains" in the Dev Console for your Extension. The same goes for External Media or Images.
Extensions utilise a CSP or Content Security Policy to control/limit/protect Extensions from connecting to unexpected things.
Twitch DOES NOT support the meta tag version of this, as it is less secure. It is overriden/set by the Twitch Extensions CDN Server Headers for security reasons.
To populate these parameters,
Visit the Developer Console.
Manage Your Extension
Manage the Version of the Extension you are working on
Click Capabilities
Scroll to Allowlist for URL Fetching Domains at the bottom.
Add in the URL's as needed.
Further reading
https://dev.twitch.tv/docs/extensions#restrictions-on-content
https://discuss.dev.twitch.tv/t/new-extensions-policy-for-content-security-policy-csp-directives-and-timeline-for-enforcement/33695/
For testing under local test there is this NodeJS Module which you can use as is or copy the relevant logic into your own local test system which will save you having to jump to hosted test/local test too much.
I'm trying to load some external JavaScript, but Chrome isn't having it.
To be clear, I'm using a bookmarklet to create a new script element, change the src attribute to my source code, and then append it to the header.
Here's the code:
javascript:var script=document.createElement("script");script.src="URL";document.getElementsByTagName('head')[0].appendChild(script);
Unfortunately, Chrome's Cross-Origin Read Blocking algorithm is preventing me from injecting the source into the header. I believe that this is due to the fact that said source document is simply plain text, and not an acceptable JavaScript file.
Is there any workaround for this?
There are many websites that because of CSP (Content Secrutiy Policy) not let you load scripts from other URLS. You should check the CSP headers of the website you trying to inject scripts into.
More info on CSP:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
UPDATE
I see that your edit your question (after my initial answer) and now your asking specific about CORB issue. In that case you have to ensure that your script returing the correct content-type header. If you script doens't return text/javascript chrome will not execute it.
How do you serve the JavaScript file? if you will give more details we can try to help.
Usually servers are giving the correct header to JS files. There are some exception. For e.g. when user upload JS file to GitHub, GitHub will serve it without the content type header. This is because they don't want that a webmaster that trust only GitHub will have a risk that a user will execute user uploaded script (to GitHub) on his website.
More info:
https://www.chromium.org/Home/chromium-security/corb-for-developers
I'm trying to implement a youtube player in my web application. For this i have used the following react library
react-youtube
https://github.com/troybetz/react-youtube
I have implemented it and working in the localhost without any issue. But it stops working in the production build. It gives out an error like the following
Refused to load the script 'https://www.youtube.com/iframe_api' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
What causes this and how can i fix this?
This is most likely because your production server is only allowing you to embed scripts which is coming from its own origin, or script-src 'self'.
This is done using the Content-Security-Policy either as a response header, HTML meta tag or manifest.json file. Please check with the network inspector where this CSP is set. If you are running on a CloudFront or other content network you need to configure it to allow it.
You need to extend this to allow YouTube, eg. extending it like script-src 'self' youtube.com;
Does anyone know how to get CSP, even with the default-src wildcard, to work so a modern Analytics script sends website per-page data (not just home page data) to the site owner's account and so AdSense ads appear?
I tried many variations of CSP for my website, including that proposed in <H5BP.com>'s .htaccess file, but all blocked Google Analytics from producing per-page data (except for the home page) and Google AdSense from accepting ads on any page.
Google's machines did not see the Analytics script although Google's humans always saw it in my website source code. Even setting CSP default-src to the asterisk wildcard failed.
Asking at a Google forum and a non-Google forum got nothing that worked except that people said the problem was with my CSP and I received one email that said that I should comment CSP out completely. That last worked. Commenting out should be no better than default-src wildcard but commenting out is the only way I got ads and inside-the-website data.
I posted to Google about a month ago about the incompatibility but no answer refuted that (https://www.en.advertisercommunity.com/t5/Code-Implementation/content-security-policy-and-Analytics-and-likely-AdSense/m-p/491031).
The Stack Overflow answers at <Google Analytics and Content-Security-Policy header > do not indicate that anyone is getting within-website Analytics data and that thread is based on an outdated Google script.
The thread at <Google analytics.js and Content Security Policy > is for an app, not a website, no one there reported getting within-website Analytics data, and my efforts failed even with the maximally permissive CSP.
A solution is in the thread <Google analytics Universal code not tracking > but the solution is limited to setting CSP to reporting, not blocking, which is not of much use to me.
No Stack Overflow thread is about CSP and AdSense. When I proposed that H5BP tell users about this in their model <.htaccess>, their respondent said it works for him and referred me to you.
As a check on advice, is anyone seeing that page-specific data in their own Google Analytics account and seeing AdSense ads while running .htaccess CSP?
Adsense
For Google adsense, e.g. this CSP "works":
Content-Security-Policy: frame-ancestors 'self';
It prevents your page being framed without putting limits on what your page can do. Hence its XSS protection is nonexistent.
But the Adsense scripts can be loading something that loads, which in turn loads etc. And given the thousands (at the time of writing: 3103 ) 3rd party advertising networks they can use, there simply is no reasonable nor practicable way for us to ever know what all of them could be needing for the ads to function. So to restrict where you're going to let images, flash, javascript etc. be loaded from if you want to have Adsense just is not going to happen.
One or the other:
either Adsense
either a restrictive CSP
But not both.
Analytics
is another matter, already covered in other replies. [not a user]
CSP policies
Potential authors of permissive CSP policies need to be reminded that e.g. https: and * do not include permission for unsafe-inline nor data: sources. I've seen quite a few places around the web where authors assume they do.
While writing policies it might be better to put a report-only one up first.
The header is named "Content-Security-Policy-Report-Only" instead of "Content-Security-Policy" and it'll not stop anything, just do the reporting part in json to the specified destination. See here: https://developers.google.com/web/fundamentals/security/csp/#report-only
No. As of today [8 Sep 16]. We disabled CSP as Google frame source was domain specific -> frame-src : … google.co.uk google.co.fr ...
Using below code works for me :
default-src 'self' googleads.g.doubleclick.net;
script-src 'self' 'unsafe-inline' data: pagead2.googlesyndication.com storage.googleapis.com googleads.g.doubleclick.net ajax.googleapis.com;
img-src 'self' data: storage.googleapis.com pagead2.googlesyndication.com;
style-src 'self' 'unsafe-inline';
font-src 'self' fonts.googleapis.com; frame-ancestors 'self'; object-src 'self'
Or log all error with report-uri for add sources to your CSP.
JSON will POST to that URL (https://example.com/csp/log.php).
Content-Security-Policy: default-src 'self';
report-uri: https://example.com/csp/log.php;
With strict CSP 3, and nonces, I think this is possible but I don't have the ability to test as we don't use AdSense.
1.) Put all javascript in (GA, AdSense, etc.) in .js files. No inline JS.
2.) Use the proposed "strict" CSP: https://csp.withgoogle.com/docs/strict-csp.html
3.) Include the .js files as you normally include any file, but add a nonce:
<script src="/mygooganalytics.js" nonce="[your nonce here]"></script>
The effect should be that anything originating from mygooganalytics.js will be allowed. Nonces are generally created by server-side code (php, ruby, etc.), but if this is outside of your app/in a regular old html file you can generate a nonce using your server. If you happen to use Apache: Generate a nonce with Apache 2.4 (for a Content Security Policy header)
I am loading HTML content into an iframe using the srcdoc property. The iframe is a sandboxed iframe with no permissions given, so all Javascript in the iframe is blocked. However, remote requests (such as for CSS, images etc.) will still be triggered inside the iframe.
Is there any possible way to tell the iframe to only load what I give it in the srcdoc property and not make any additional requests?
Thanks in advance
The basics
Presumably no because sandboxing the iframe is meant to avoid sharing sensitive data between your main document and your iframe's document or limiting potentially disruptive behavior.
The iframe is still functionally a browser window and will act like such, loading all external resources that are declared in it, with the only difference that it displays within another document rather than another window.
If the code present inside srcdoc has calls to remote resources, then the browser is doing exactly what you are telling it to do by loading them.
If you don't want these resources to be loaded, you will have to edit them out of the srcdoc code.
Actually, a possible solution
That being said, there might exist a way to block the loading of resources by using a Content Security Policy from within the iframe's document using a meta tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'none';">
or
<meta http-equiv="X-Content-Security-Policy" content="default-src 'none';">
I did try this under Firefox 39.0.3 but it didn't work, likely because of the following:
Bug 663570 - Implement Content Security Policy via tag
Regardless, for more information, see:
CSP (Content Security Policy) on the Mozilla Developer Network
Content Security Policy Reference