We Keep Coding

Can you have more than one exception in a Manifest's Content Security Policy?

I'm making a browser extension and we need to run some remote js as well as google analytics, but when I put more than one URL into the content security policy we get a Syntax Error.
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'", "script-src 'self' https://res.cloudinary.com/givr/raw/upload/v1642726460/coupons.js; object-src 'self'",
Is there a way to allow for multiple external sources in here?

You get syntax error because that is not valid json. You can specify multiple urls separated by space like below.
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com https://res.cloudinary.com/givr/raw/upload/v1642726460/coupons.js; object-src 'self'"

How to avoid this error when I try to implement sign in with facebook button?

I added Facebook signIn button and on https://localhost:3000/ everything works just fine but when I deploy my app it throws the following error in the console:
Refused to load the script 'https://connect.facebook.net/en_US/sdk.js' because it violates the following Content Security Policy directive: "script-src-elem 'self' 'unsafe-inline' https://apis.google.com/ ".
I tried to add this line into my manifest.json: "content_security_policy": "script-src 'self' 'unsafe-inline' https://connect.facebook.net 'unsafe-eval'; object-src 'self'"
But it doesn't help. Could someone explain me what's the problem?

because it violates the following Content Security Policy directive: "script-src-elem 'self' 'unsafe-inline'
This violation message says that you use script-src-elem directive in the CSP. But you add the https://connect.facebook.net source into script-src directive.
Chrome browser follows the script-src-elem if it presents, and script-src is used as fallback only if script-src-elem is omitted.
You have to add https://connect.facebook.net into both script-src-elem and script-src.

Refused to load the script 'https://apis.google.com/js/api.js' because it violates the following Content Security Policy directive

I want to add google api in my popup.html but there is an error in cosole
Refused to load the script 'https://apis.google.com/js/api.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://cdn.jsdelivr.net". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
can someone help me please? in manifest i have added
"content_security_policy": "script-src 'self' https://apis.google.com/js/api.js; object-src 'self'",
but it does not work. please help me, thanks in advance

CSP error for image embed to GitHub with Firefox web extension content script

I can't add image to GitHub issue page with firefox web extension content script.
Content Security Policy: The page’s settings blocked the loading
of a resource at
https://api.everhour.com/avatar/MjM4XzE0OTA3MTAyNDIuMTY0OTEx.png (“img-
src https://github.com data: https://assets-cdn.github.com
https://identicons.github.com https://collector.githubapp.com
https://github-cloud.s3.amazonaws.com
https://*.githubusercontent.com”).
I've tried set img-src policies in manifest.json, but it does not work.
manifest.json:
{
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'; img-src 'self' 'unsafe-inline' https://api.everhour.com"
}
Does anybody know how to ignore page CSP policies in web extension?

Chrome extension content security policy and permissions

I'm trying to do a Chrome extension and i have problems with the content security policy.
I create a popup.html with a json call in the popup.js called in the header. i also add another .js file on a remote server, i can't include it since it's a api car to a external service.
I tryed everything with the manifest.json.
"permissions": [ //"optional_permissions": [
"http://*.myjsonserver.com/",
"http://*.twilio.com/*",
"https://*.twilio.com/*"
//"http://*/*",
//"https://*/*"
],
i tryed this.
"manifest_version": 2,
"content_security_policy": "connect-src 'self' http://myjsonserver.com; object-src 'self'", //connect-src
"content_security_policy": "script-src 'self' https://static.twilio.com; object-src 'self'"
Or should i add the javascript this way?
"content_scripts": [
{
"matches": ["http://static.twilio.com/*"],
"js": ["jquery.js", "myscript.js"]
}
],
I get this error on google chrome inspector.
Refused to load the script 'http://myjsonserver.com/get_token_cb.php?callback=jQuery210007401883858256042_144745747' because it violates the following Content Security Policy directive: "script-src 'self' https://static.twilio.com".
---------------
chrome-extension://static.twilio.com/libs/twiliojs/refs/6359b40/twilio.min.js Failed to load resource: net::ERR_FAILED
Failed to load resource: net::ERR_FAILED chrome-extension://static.twilio.com/libs/twiliojs/refs/6359b40/twilio.min.js
but nothing work, myjsonserver.com it not on a https server and it's on my own server. the twilio.com url is to access the twilio api from javascript.
This is just for testing because later it will be on the background.js
I tryed it all but i'm lost and i have no clue.

Lots going on here - I can say that Google recommends that you DO serve JS from the extension rather than from the internet if possible (so if you need jQuery, you would bundle it with your extension). Regarding the specific error you reported, only the second content_security_policy is taking effect. You can see in their documents that they only specify one of these attributes in the manifest.
To solve the error you are facing, I believe you want:
"content_security_policy": "script-src 'self' https://myjsonserver.com https://static.twilio.com; object-src 'self'"