Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Chrome Extension: Content Security Policy Error

I am working on Chrome extension which opens a new window. That window contains my page.html where there are some scripts and that's the problem because in the console I can see the error... and now.

When I don't add any additional stuff to my manifest.json or page.html I get this error:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-t+n/+H6ALc8VWtFbu1Zd7/MPwtSjSk8PIrfccO7FJrg='), or a nonce ('nonce-...') is required to enable inline execution.`,

If I add

 "content_security_policy": "script-src 'self' chrome-extension://capfbnhhhkfclmggnafjgkolommmmoch; object-src 'self';"

to my manifest.json, I get

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension://capfbnhhhkfclmggnafjgkolommmmoch". Either the 'unsafe-inline' keyword, a hash ('sha256-t+n/+H6ALc8VWtFbu1Zd7/MPwtSjSk8PIrfccO7FJrg='), or a nonce ('nonce-...') is required to enable inline execution.

When I added some meta tag into my page.html there was a same or similar error.

And my question is: How can I fix it? Because I think that "script-src 'self' blob: filesystem: chrome-extension-resource:" is some kind of template so I have to add some data thereafter :s... But I really don't know which. I saw here something about it but I don't have clue what should I do with it or where I should write it. So please help me, I would be so happy if I fixed that error.

Code where window opens:

$.get(chrome.extension.getURL('/page.html'), function(data) {
    var myWindow;
    myWindow = window.open("", "TopSerialy.sk Vyhľadávač","width=386,height=290");
    myWindow.moveTo((screen.width/2)-(386/2), ((screen.height-93)/2)-(290/2));
    myWindow.document.write(data);
});

page.html contains only simple script to close window when butten is pressed, declared by <script>functions, etc...</script> tag in HTML, not <script scr="some_url/script.js"></script>!

like image 220
loumadev Avatar asked Jul 26 '18 12:07

loumadev


People also ask

How do I bypass Content-Security-Policy in Chrome?

Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header. Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting.

How do I stop chrome from blocking extensions?

Extensions: Select the three-dot menu > More Tools > Extensions > toggle on/off extensions in list. Or: Type "chrome://extensions/" into address bar > press Enter > toggle on/off extensions in list. Plug-ins: Select the three-dot menu > Settings > Site Settings > choose desired plug-in > toggle on/off.

How do I know if Content-Security-Policy is enabled?

To test for misconfigurations in CSPs, look for insecure configurations by examining the Content-Security-Policy HTTP response header or CSP meta element in a proxy tool: unsafe-inline directive enables inline scripts or styles making the applications susceptible to XSS attacks.

What is the content security policy for Chrome apps?

The content security policy for Chrome Apps restricts you from doing the following: You can't use inline scripting in your Chrome App pages. The restriction bans both <script> blocks and event handlers (<button onclick="...">). You can't reference any external resources in any of your app files (except for video and audio resources).

What is Content Security Policy (CSP)?

A Content Security Policy (CSP) lets developers improve security by putting restrictions on what resources can be loaded on a page. For example, a CSP can only allow requests from certain domains, or block inline script tags. Developers can also specify a URL that the browser can send reports to if a page attempts to load a blocked resource.

Should I tighten content_security_policy for my extension?

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'" However, you should avoid relaxing policies. The functions are notorious XSS attack vectors. Tightening the default policy You may, of course, tighten this policy to whatever extent your Extension allows in order to increase security at the expense of convenience.

How are security policies defined in the Microsoft Edge extension?

On the web, such a policy is defined via an HTTP header or metaelement. Inside the Microsoft Edge Extension system, neither is an appropriate mechanism. Instead, an Extension policy is defined using the manifest.jsonfile for the Extension as follows: { ..., "content_security_policy": "[POLICY STRING GOES HERE]" ...


1 Answers

This does not work, because Chrome forbids any kind of inline code in extensions via Content Security Policy.

What you can do is:

  1. Put all inline code into some file (popup.js).
  2. Add to your code <script src="popup.js"></script>
like image 67
Kir Mazur Avatar answered Oct 16 '22 23:10

Kir Mazur