I am the author of a Chrome extension that allows to translate status updates and comments right on Facebook: https://chrome.google.com/webstore/detail/facebook-translate/plofenifjagmdikfcobngnfmmnfmphin
For some days now, my users and me are getting an error in the error console that sais:
Refused to connect to 'https://api.microsofttranslator.com/V2/Http.svc/Translate?appId=&text=Chrome-Integration%3A+Google+bringt+Google+Now+auf+Desktop-PCs&to=en&contentType=text%2Fhtml' because it violates the following Content Security Policy directive: "connect-src https://.facebook.com http://.facebook.com https://.fbcdn.net http://.fbcdn.net *.facebook.net .spotilocal.com: https://.akamaihd.net ws://.facebook.com:* http://*.akamaihd.net".
In my chrome extension I did set the content security policy as follow:
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'"
The URIs in the error console, however, are FB URIs only so that's why I'm thinking Facebook did update their site to restrict access to remote URIs. I'm not certain if it could be a Chrome issue, so sorry if I started the topic on the wrong stackoverflow network. :)
Can anyone confirm (and maybe point me to a possible solution for) this issue? Thanks everyone!
Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header. Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting.
Content Security Policy blocks all resources that don't match it's policy. To view the policy for a specific website use the CSP Evaluator.
To edit the configuration, go to chrome://extensions and click Options under Content Security Policy Override. The text area in the Options automatically saves as you edit.
Extensions should bypass a page's Content Security Policy when executing XMLHTTPRequest from a content script. They currently aren't, which is a bug. I've filed https://bugs.webkit.org/show_bug.cgi?id=104480 to take a look at fixing it.
Are you executing XHR from your extension's content script, or are you executing it in the background page? The latter should work right now.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With