Refused to connect to [url] because it violates the following Content Security Policy directive

Question

I am the author of a Chrome extension that allows to translate status updates and comments right on Facebook: https://chrome.google.com/webstore/detail/facebook-translate/plofenifjagmdikfcobngnfmmnfmphin

For some days now, my users and me are getting an error in the error console that sais:

Refused to connect to 'https://api.microsofttranslator.com/V2/Http.svc/Translate?appId=&text=Chrome-Integration%3A+Google+bringt+Google+Now+auf+Desktop-PCs&to=en&contentType=text%2Fhtml' because it violates the following Content Security Policy directive: "connect-src https://.facebook.com http://.facebook.com https://.fbcdn.net http://.fbcdn.net *.facebook.net .spotilocal.com: https://.akamaihd.net ws://.facebook.com:* http://*.akamaihd.net".

In my chrome extension I did set the content security policy as follow:

"content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'"

The URIs in the error console, however, are FB URIs only so that's why I'm thinking Facebook did update their site to restrict access to remote URIs. I'm not certain if it could be a Chrome issue, so sorry if I started the topic on the wrong stackoverflow network. :)

Can anyone confirm (and maybe point me to a possible solution for) this issue? Thanks everyone!

Answer 1

Extensions should bypass a page's Content Security Policy when executing XMLHTTPRequest from a content script. They currently aren't, which is a bug. I've filed https://bugs.webkit.org/show_bug.cgi?id=104480 to take a look at fixing it.

Are you executing XHR from your extension's content script, or are you executing it in the background page? The latter should work right now.