Currently am working on google sign-in on chrome extension with MV3, and I've an issue with CSP, every time I run the extension, I get this error.
Refused to load the script 'https://apis.google.com/js/api.js' because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
and
Refused to load the script 'https://accounts.google.com/gsi/client' because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Can somebody give me some ideas on how to fix this? I need this to work on MV3.
Related
trying to call localhost URL in Cordova app I got below error
A cookie associated with a cross-site resource at http://local_ip/ was set without the `SameSite`
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are
set with `SameSite=None` and `Secure`. You can review cookies in developer tools under
Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.
And this Error
Resource interpreted as Document but transferred with MIME type application/vnd.ms-excel:
"http://local_ip:8083/api/getMailReport? reportType=MU&surId=SUR00002&selectedFromDate=05%2F11%2F2019&selectedToDate=11%2F11%2F2019&lang=E&gener
ateReport=Generate+Report".
how to overcome this issue
Chrome will be changing its behavior in Chrome 80 to apply two new rules:
Cookies without a SameSite attribute will be treated as SameSite=Lax by default, i.e. they will be first-party or same-site only
Cookies intended for third-party or cross-site use must be marked as SameSite=None; Secure.
The console warnings are just to inform you that you will need to add the relevant attributes to your cookies depending on what behavior your site needs.
You can see https://web.dev/samesite-cookies-explained and https://web.dev/samesite-cookie-recipes for more information.
We have an issue with CORS policies and not sure of is a bug or?
We tried setting CORS policy on a product used in an API, without any effect. Then we applied the same CORS policy on API level for "all operations". This time it worked as expected.
As we understand CORS policy on product level should also be doable, we might be wrong or is there some detail we should be aware of to have this working on a product level?
If your product requires subscription for CORS policy to work key MUST be passed in query string. The problem here is if you try to pass subscription key in header browser will still send OPTIONS request without any extra headers. APIM will not be able to identify product and apply subscription key. Thus CORS policy will not work.
If key is passed in query string on the other hand, this information is presend in OPTIONS request and APIM works as desired.
This is not APIM problem per se, as CORS spec itself does not allow for any extra headers in OPTIONS request. And it only applies to requests that require preflight OPTIONS request. CORS GET requests should work as those are sent directly.
I'm working on a site that I want to include Google's reCAPTCHA on.
If I add the following <script> tag to my <head>:
<script crossorigin="anonymous" src='https://www.google.com/recaptcha/api.js'>
</script>
I get the following error:
Access to Script at 'https://www.google.com/recaptcha/api.js' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
Okay, fine, fair enough. I can always disable CORS on Chrome when working on localhost. But the domain is www.google.com. I don't really feel comfortable sending an access-control-allow-origin header to anything that's on google's root domain - that feels like a security hole you could drive a bus through.
How do I get around this with a reasonable production setting for dealing with cross origin concerns here?
Remove crossorigin="anonymous".
Your page just needs to run the script. It has no need to ask for elevated privileges so your JS can access more information about it. If it threw an error then you wouldn't have access to Google's servers in order to correct it anyway.
I have a situation where users are able to define CSS for specific areas of the site that they maintain. They are able to insert remote resources into this document, and subsequently log IP requests made to these resources by guest users visiting their pages.
Short of adding a purification system that filters remote URLs, is there a way to instruct the client not to make ANY foreign requests? My site is 100% self-contained at the origin and makes no foreign CDN requests. I basically want it so that any foreign request is blocked.
Content Security Policy can limit the resources that can be included in the site.
For example, this would limit the page to load scripts only from its own domain and from Google domain
Content-Security-Policy: script-src 'self' https://apis.google.com
More options, including for loading styles
style-src is script-src’s counterpart for stylesheets.
connect-src limits the origins to which you can connect (via XHR, WebSockets, and EventSource)
frame-src Use child-src instead.
img-src defines the origins from which images can be loaded.
media-src restricts the origins allowed to deliver video and audio.
I have a script that adds members to a Facebook group, but I have a problem that the script is long, so I want to shorten it, so that's why I use a code that call it through a source file uploaded to server; the code is this:
javascript:(function(){document.body.appendChild(document.createElement('script')).src='URL';})();
But the code is not working; it says:
Refused to load the script 'My Script URL' because it violates the
following Content Security Policy directive: "script-src
https://.facebook.com http://.facebook.com https://.fbcdn.net
http://.fbcdn.net *.facebook.net *.google-analytics.com
*.virtualearth.net .google.com 127.0.0.1: *.spotilocal.com:* chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 'unsafe-inline'
'unsafe-eval' https://.akamaihd.net http://.akamaihd.net".
What do I have to do to fix this?
All JavaScript and all resources should be local (everything gets packaged in your packaged app).
Don't load the script from a server. Add it as a resource to your extension, and it should work fine.