Reputation: 9220
Chrome Extension Content-Security-Policy throwing errors, while it's set on *
I've tried all possible setups for the CSP settings in my manifest.json, this is my current (very open and unsafe, I know).
When I open the background inspect for the extension, the first time after reloading it's fine, sometimes up until the fifth time, and then all of a sudden the errors below start pouring in..
"content_security_policy": "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';"
And still I'm getting the following error
Refused to load the script 'https://myapp-12345.firebaseio.com/.lp?start=t&ser=1234567&cb=15&v=5' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
What I've tried
- Removing the chrome extension when I change the manifest.json
Is there anything I'm missing?
Upvotes: 0
Views: 9027
Answers (1)
Reputation: 2386
You can only relax CSP in Chrome extensions to a certain extent
"content_security_policy" entry in Chrome Extension manifest allows developers to relax the CSP to a certain extent only. The subset of values allowed for style-src is very limited, quote from the official documentation:
Currently, developers can allowlist origins with the following schemes: blob, filesystem, https, and chrome-extension. The host part of the origin must explicitly be specified for the https and chrome-extension schemes. Generic wildcards such as https:, https://* and https://*.com are not allowed; ...
Many of the values specified in your CSP (eg. * and 'unsafe-inline' for script-src) are not valid in "content_security_policy" and Chrome ignores them (with a warning) when parsing manifest.json.
Why you don't see warnings or errors about the invalid CSP values
I suspect that you might be checking errors in JavaScript console of the background page. You need to check the errors and warnings generated for your manifest.json first. Go to chrome://extensions/ and click on the Errors button for your extension. There will be several warnings such as this:
content_security_policy': Ignored insecure CSP value "*" in directive 'script-src'.
Edit:
I just noticed that the Errors page (chrome://extensions/?errors=<extension-id>) behaves inconsistently. There seems to be a bug that causes the warnings about ignored CSP values to only show up after reloading the extension.
Links to documentation:
"content_security_policy" in Chrome
"content_security_policy" in Firefox
(The specification is basically identical but I find the documentation on MDN nicer and easier to follow.)
Upvotes: 7
Related Questions
- Why am I getting "Failed to load extension. Invalid value for 'content_security_policy'"?
- How to fix chrome-extension inline JavaScript invocation error?
- Chrome Extension: Content Security Policy Error
- Chrome extension Content Security Policy directive error
- Chrome Extension Content Security Policy not Allowing Resources
- chrome extension Refused to load the script even content_security_policy is set
- Content-Security-Policy error in google chrome extension making
- Issue With Content Security Policy in Chrome Extension
- Content-Security-Policy error?
- Invalid value for Content Security Policy: Google Chrome Extension