Reputation: 3548
Injecting AJAX into website via Chrome Extension
I am using a chrome extension to inject an AJAX request into a website. However I keep randomly getting this error:
Refused to connect to 'http://127.0.0.1:5005/' because it violates the following Content Security Policy directive: "connect-src 'self' static.licdn.com media.licdn.com static-exp1.licdn.com static-exp2.licdn.com media-exp1.licdn.com media-exp2.licdn.com https://media-src.linkedin.com/media/ www.linkedin.com s.c.lnkd.licdn.com m.c.lnkd.licdn.com s.c.exp1.licdn.com s.c.exp2.licdn.com m.c.exp1.licdn.com m.c.exp2.licdn.com wss://*.linkedin.com dms.licdn.com".
It doesn't happen all the time. Just some of the time. I am really confused. Is there a way around it?
This is the code inside chrome_extension.js
function checkName(){
var fullNameSplit = $('#topcard h1').first().text().split(' ');
var firstName = fullNameSplit[0]
var lastName = fullNameSplit[fullNameSplit.length - 1]
console.log(firstName, lastName)
console.log('checking name')
$.ajax({
type:'POST',
url:'http://127.0.0.1:5005/',
data: JSON.stringify({first: firstName, last: lastName}),
success: function(response) {
data = JSON.parse(response)
firstNameFound = data.first_name
lastNameFound = data.last_name
fullNameFound = data.full_name
$('.profile-info').prepend('Full Name Found: '+fullNameFound+'</br></br>');
//</br></br>First Name Found: '+firstNameFound+'</br></br>Last Name Found: '+lastNameFound+'</br></br>'
},
// dataType: 'json',
contentType: "application/json"
})
}
manifest.json
{
"manifest_version": 2,
"name": "Upstart Extension",
"version": "1.0",
"browser_action": {
"default_icon": "icons/download.png"
// "default_popup": "popup.html"
},
"background": {
"scripts" : ["background.js"]
},
"permissions": [
"activeTab",
"https://ajax.googleapis.com/",
"storage"
],
"content_scripts": [
{
// "matches":["https://www.linkedin.com/*"],
"matches": ["https://www.linkedin.com/*", "http://www.linkedin.com/*"],
"js":["keypress.js", "jquery.js", "chrome_extension.js"],
"run_at": "document_end"
}
],
"content_security_policy": "script-src 'self' http://127.0.0.1:5005/'; connect-src 'self' http://127.0.0.1:5005/'; object-src 'self'"
}
Upvotes: 1
Views: 306
Answers (1)
Reputation: 2144
This looks like you're being blocked by a websites Content Security Policy which is a security policy set by the webserver which provides a list of servers it is allowed to connect to. Basically, it's a piece of security designed to stop exactly what you're doing because it looks like an XSS injection attack.
It likely only happens some of the time because only some sites have CSP enabled.
Is there a way around it?
Assuming CSP is effective, no there isn't a way around it unless the site in question adds the source you're connecting to to it's content policy.
Upvotes: 1
Related Questions
- How do I send an ajax request in a Google Chrome Extension?
- Simple js inject code with chrome extension
- Ajax with chrome extension
- Use ajax query in chrome extension
- Sending AJAX from Chrome Extension
- Using jQuery.ajax in a Google Chrome extension
- Chrome extension inject js
- Running injected JS functions from a Chrome extension AJAX loaded page
- how to: dynamically load google ajax api into chrome extension content script
- Chrome extension: Inject javascript into a webpage to perform a ajax request?