Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

how to set multiple Content Security Policies in a chrome extension manifest.json file

Tags:

json

manifest

google-chrome-extension

manifest.json

in the Google chrome documentation I found that I can add content Security Policy to allow an external javascript file to work on my extension.

but I couldn't find how to add multiple ones. Is it an array of Strings?

"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

I tried to put multiple lines like that but it doesn't work. Goes error:

Refused to load the script https://example.com because it violates the following Content Security Policy directive: "script-src 'self' https://example.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

like image 939
Creeper Avatar asked Apr 12 '19 10:04

Creeper

People also ask

What is manifest JSON in Chrome extension?

Using manifest. json , you specify basic metadata about your extension such as the name and version, and can also specify aspects of your extension's functionality (such as background scripts, content scripts, and browser actions).

How do I change content security policy in Chrome?

To edit the configuration, go to chrome://extensions and click Options under Content Security Policy Override. The text area in the Options automatically saves as you edit.

What is Web_accessible_resources?

Using web_accessible_resources This prevents websites from fingerprinting a browser by examining the extensions it has installed. Note: In Chrome in Manifest V2, an extension's ID is fixed.

1 Answers

CSP policy is a single string (containing a semicolon-separated list of directives and their arguments). It applies to all extension pages.

If you need a single policy with multiple sources, you can do that. In fact, you already have that: 'self' and https://example.com are two sources.

Read about CSP in general and script-src directive, e.g. on the MDN.

Syntax

One or more sources can be allowed for the script-src policy:

Content-Security-Policy: script-src <source>;
Content-Security-Policy: script-src <source> <source>;

So you just need to space-separate them between script-src and the semicolon.

Make sure that your sources do not contain paths.
E.g. https://example.com is OK, but https://example.com/ or https://example.com/script.js are not.

If you need multiple independent policies for different pages, I'm afraid you can't do that.

like image 76
Xan Avatar answered Oct 13 '22 23:10

Xan
Sign in to Comment

Related questions

Ignoring specific data type when serializing with Json.NET?
Python: Comparing two JSON objects in pytest
Lambda not supporting NLTK file size
Assigning JSON in a GraphQL type in Nodejs
JSON parsing in c# item is not an array
Quick Rest API with Python for mocking responses
AWS IAM Policy to Enforce Tagging
Using attrs to turn JSONs into Python classes
How to read a large JSON file using Python ijson?
Error: SyntaxError: Unexpected end of JSON input when using fetch()
How to convert node.js Buffer to JavaScript object without an intermediate string
Creating a KSQL Stream: How to extract value from complex json
How to filter complex structured Json data in Angular 6
Extracting Information from json string and add it to a list in C#
Getting undefined when json fetch in react native
LUIS Intent not returning the entire value of the entity with space
How to skip property name in json serialization?
Jackson: Suppress JsonTypeinfo at serialisation time?
convert an existing string to a raw string in Dart

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!