content_security_policy not taking effect in Chrome Extension

Question

The Zemanta Chrome Extension fails to load with the following error message

loader.js:13 Refused to load the script 'https://static.zemanta.com/widgets/blogger.com/merged-blogger.js?v=1451290656'
because it violates the following Content Security Policy directive: 
"script-src 'self' *.google.com *.google-analytics.com 'unsafe-inline'  
'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com   
*.googleapis.com uds.googleusercontent.com https://s.ytimg.com   
www-onepick-opensocial.googleusercontent.com   www-bloggervideo-opensocial.googleusercontent.com   
www-blogger-opensocial.googleusercontent.com *.blogspot.com   https://www.blogblog.com".

I have changed the content_securiy_policy line to the following, and reload the extension

"content_security_policy": "script-src 'self' https://ssl.google-analytics.com https://*.zemanta.com; object-src 'self'"

Why is it that "https://*.zemanta.com" is not listed in the CSP directive in the error message above, and how can I make sure it is in the CSP?

Answer 1

It looks like an error thrown by a webpage with its own CSP, not inside your extension. So the CSP you set there has no effect.

It probably happens as a result of a content script trying to insert <script src="..."> into the page. That's subject to the page's CSP and can fail.

You can try to bypass the page's CSP by loading the script with XHR and inserting a <script> tag with the code included instead of src link. Note that this may fail at a later stage, since while the script will be executed this way, it will be subject to CSP in its own actions (so if it, say, tries to add a <script> tag as well, it will fail).

Alternatively, you could use webRequest API to intercept and modify the CSP header. That's risky since you're loosening the page's security in general.