I am developing a Chrome Extension, and I have this in my index.html head:
<script src="https://cdnjs.cloudflare.com/ajax/libs/js-beautify/1.7.5/beautify-html.js"></script>
I am getting this error:
Refused to load the script
'https://cdnjs.cloudflare.com/ajax/libs/js-beautify/1.7.5/beautify-html.js'
because it violates the following Content Security Policy directive:
"script-src 'unsafe-eval'".
Here is my manifest.json config:
"content_security_policy": "script-src '*' 'unsafe-eval'; object-src '*';"
Does anyone know if there is a possible way to load <script>'s which reference a www link? Is there some permissions I am missing?
The current security policy that you're using only applies to your extension, that is because you cannot use just *. Wildcard are allowed but only to construct a URL. If you want to allow https://cdnjs.cloudflare.com, you'll have to specify that domain, something like this:
"content_security_policy": "script-src 'self' https://cdnjs.cloudflare.com; object-src 'self';"
You can learn more about the content_security_policy property from HERE
Related
I'm making a browser extension and we need to run some remote js as well as google analytics, but when I put more than one URL into the content security policy we get a Syntax Error.
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'", "script-src 'self' https://res.cloudinary.com/givr/raw/upload/v1642726460/coupons.js; object-src 'self'",
Is there a way to allow for multiple external sources in here?
You get syntax error because that is not valid json. You can specify multiple urls separated by space like below.
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com https://res.cloudinary.com/givr/raw/upload/v1642726460/coupons.js; object-src 'self'"
I added Facebook signIn button and on https://localhost:3000/ everything works just fine but when I deploy my app it throws the following error in the console:
Refused to load the script 'https://connect.facebook.net/en_US/sdk.js' because it violates the following Content Security Policy directive: "script-src-elem 'self' 'unsafe-inline' https://apis.google.com/ ".
I tried to add this line into my manifest.json: "content_security_policy": "script-src 'self' 'unsafe-inline' https://connect.facebook.net 'unsafe-eval'; object-src 'self'"
But it doesn't help. Could someone explain me what's the problem?
because it violates the following Content Security Policy directive: "script-src-elem 'self' 'unsafe-inline'
This violation message says that you use script-src-elem directive in the CSP. But you add the https://connect.facebook.net source into script-src directive.
Chrome browser follows the script-src-elem if it presents, and script-src is used as fallback only if script-src-elem is omitted.
You have to add https://connect.facebook.net into both script-src-elem and script-src.
I want to add google api in my popup.html but there is an error in cosole
Refused to load the script 'https://apis.google.com/js/api.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://cdn.jsdelivr.net". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
can someone help me please? in manifest i have added
"content_security_policy": "script-src 'self' https://apis.google.com/js/api.js; object-src 'self'",
but it does not work. please help me, thanks in advance
I can't add image to GitHub issue page with firefox web extension content script.
Content Security Policy: The page’s settings blocked the loading
of a resource at
https://api.everhour.com/avatar/MjM4XzE0OTA3MTAyNDIuMTY0OTEx.png (“img-
src https://github.com data: https://assets-cdn.github.com
https://identicons.github.com https://collector.githubapp.com
https://github-cloud.s3.amazonaws.com
https://*.githubusercontent.com”).
I've tried set img-src policies in manifest.json, but it does not work.
manifest.json:
{
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'; img-src 'self' 'unsafe-inline' https://api.everhour.com"
}
Does anybody know how to ignore page CSP policies in web extension?
I'm trying to do a Chrome extension and i have problems with the content security policy.
I create a popup.html with a json call in the popup.js called in the header. i also add another .js file on a remote server, i can't include it since it's a api car to a external service.
I tryed everything with the manifest.json.
"permissions": [ //"optional_permissions": [
"http://*.myjsonserver.com/",
"http://*.twilio.com/*",
"https://*.twilio.com/*"
//"http://*/*",
//"https://*/*"
],
i tryed this.
"manifest_version": 2,
"content_security_policy": "connect-src 'self' http://myjsonserver.com; object-src 'self'", //connect-src
"content_security_policy": "script-src 'self' https://static.twilio.com; object-src 'self'"
Or should i add the javascript this way?
"content_scripts": [
{
"matches": ["http://static.twilio.com/*"],
"js": ["jquery.js", "myscript.js"]
}
],
I get this error on google chrome inspector.
Refused to load the script 'http://myjsonserver.com/get_token_cb.php?callback=jQuery210007401883858256042_144745747' because it violates the following Content Security Policy directive: "script-src 'self' https://static.twilio.com".
---------------
chrome-extension://static.twilio.com/libs/twiliojs/refs/6359b40/twilio.min.js Failed to load resource: net::ERR_FAILED
Failed to load resource: net::ERR_FAILED chrome-extension://static.twilio.com/libs/twiliojs/refs/6359b40/twilio.min.js
but nothing work, myjsonserver.com it not on a https server and it's on my own server. the twilio.com url is to access the twilio api from javascript.
This is just for testing because later it will be on the background.js
I tryed it all but i'm lost and i have no clue.
Lots going on here - I can say that Google recommends that you DO serve JS from the extension rather than from the internet if possible (so if you need jQuery, you would bundle it with your extension). Regarding the specific error you reported, only the second content_security_policy is taking effect. You can see in their documents that they only specify one of these attributes in the manifest.
To solve the error you are facing, I believe you want:
"content_security_policy": "script-src 'self' https://myjsonserver.com https://static.twilio.com; object-src 'self'"