Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Refused to connect to [url] because it violates the following Content Security Policy directive

I am the author of a Chrome extension that allows to translate status updates and comments right on Facebook: https://chrome.google.com/webstore/detail/facebook-translate/plofenifjagmdikfcobngnfmmnfmphin

For some days now, my users and me are getting an error in the error console that sais:

Refused to connect to 'https://api.microsofttranslator.com/V2/Http.svc/Translate?appId=&text=Chrome-Integration%3A+Google+bringt+Google+Now+auf+Desktop-PCs&to=en&contentType=text%2Fhtml' because it violates the following Content Security Policy directive: "connect-src https://.facebook.com http://.facebook.com https://.fbcdn.net http://.fbcdn.net *.facebook.net .spotilocal.com: https://.akamaihd.net ws://.facebook.com:* http://*.akamaihd.net".

In my chrome extension I did set the content security policy as follow:

"content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'"

The URIs in the error console, however, are FB URIs only so that's why I'm thinking Facebook did update their site to restrict access to remote URIs. I'm not certain if it could be a Chrome issue, so sorry if I started the topic on the wrong stackoverflow network. :)

Can anyone confirm (and maybe point me to a possible solution for) this issue? Thanks everyone!

like image 526
oschloebe Avatar asked Dec 09 '12 11:12

oschloebe


People also ask

How do I get rid of content security policy?

Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header. Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting.

What is blocked by content security policy?

Content Security Policy blocks all resources that don't match it's policy. To view the policy for a specific website use the CSP Evaluator.

How do I change content security policy in Chrome?

To edit the configuration, go to chrome://extensions and click Options under Content Security Policy Override. The text area in the Options automatically saves as you edit.


1 Answers

Extensions should bypass a page's Content Security Policy when executing XMLHTTPRequest from a content script. They currently aren't, which is a bug. I've filed https://bugs.webkit.org/show_bug.cgi?id=104480 to take a look at fixing it.

Are you executing XHR from your extension's content script, or are you executing it in the background page? The latter should work right now.

like image 174
Mike West Avatar answered Nov 09 '22 04:11

Mike West