I want to use bootstrap in my Chrome Extinction project but Manifest V3 disallows certain CSP modifications for extension_pages that were permitted in Manifest V2. The script-src, object-src, and worker-src directives
Related
I wrote a Java WebApp using Tomcat Version 9.0.69 and Wicket 9.12.0 plus Chrome Version 109.0.5414.75 for display, but CSP (Content-Security-Policy) totally messes up the display with a bunch of "Refused to [load the stylesheet/script '' | apply inline style] because it violates the following Content Security Policy directive: ...".
I tried to use HTML metas like "", it failed.
I tried to configure CSP inside Tomcat config, it failed too.
The only way right now I can see my web application properly is by using a Chrome plugin to disable CSP for the display tab.
I would like to fix this issue at the source, where is strict CSP policy defined here, Tomcat, Wicket, or Chrome?
I tried to fix CSP in HTML metas and Tomcat config, no effect.
Only disabling CSP in Chrome with a plugin worked to nullify CSP effect.
Some CSP related settings are defined in Wicket.
If you use the quickstart Maven archetype then they are in WicketApplication.java
You could disable them by replacing these lines with:
getCspSettings().blocking().disabled();
We receive mp3 voicemails in Gmail. Starting today, all computers using Google Chrome can't play mp3s found in Gmail. This doesn't affect other sites that host mp3s.
Upon further inspection, the console reports:
Refused to load media from 'https://mail.google.com/mail/u/...' because it violates the following Content Security Policy directive: "media-src https://*.googlevideo.com/videoplayback/".
Is Gmail not following its new CSP policies? Is any work around other than simply downloading and playing the files?
With the Content Security Policy directive media-src https://*.googlevideo.com/videoplayback/, media files from sources different to https://*.googlevideo.com/videoplayback/ can't be played in the <video>/<audio> tags embedded into page.
Even you load media by ajax and create <audio> tag with blob:-Url, it will be blocked by above CSP.
It's not a browser dependant, that's how CSP is work.
With the current CSP restrictions, mediafiles can be played only in the isolated browsing contexts like <iframe>/<object>/<embed>.
I don't know is GMail made it intentionally or occasionally, but only browser extensions using nested browsing contexts can play media in such conditions.
In the end, I created a Chrome Extension with XMLHTTPRequest to get around CSP and to play the mp3 without a direct download.
I released a Chrome Extension called GPlayer. Waiting on Google to approve. I believe the future link is https://chrome.google.com/webstore/detail/obdmmgdlafadeehmbmcmoggnaokehnaj
Github link - https://github.com/TriStarGod/GPlayer
I have a desktop Chrome App that acts as a dashboard, and simply embeds 4 sites in webviews. Unfortunately Chrome Apps are deprecated so I'm wondering what I can use instead.
I was looking into Progressive Web Apps but it necessitates iframes, which don't work as the sites supply X-Frame-Options: DENY (not under my control unfortunately).
What is the best way of displaying 4 3rd party sites in a window, with minimal chrome (as in UI clutter)?
with the previous Phonegap version, I used to open google maps from the app simply opening with an href an url, like this https://www.google.com/maps/dir/?api=1&origin=43.9815648,7.5328161&destination=41.802425,12.6021389
But I noticed, with Phonegap 7, that when I tap on the href element, nothing happens. Why?
How can I fix this and open google maps with a given itinerary?
The pages you can load, scripts you can load, etc, are now controlled by CSP (Content Security Policy), rather than just the old WhiteList mechanism in the config.xml. So, if you want to access pages you have to setup your Content Security Policy appropriately. To use Google maps you at least need to add google.com to the default src, gstatic.com to data. These may not be enough, and if you they aren't probably the only option is looking at the errors in the developer console, see here how to get Chrome Developers console on Android, and here to see it on iOS. I always find a bunch of trial and error is required to CSP set just right.
<meta http-equiv="Content-Security-Policy" content="default-src 'self' google.com data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline' google.com; media-src *">
That said, you probably don't want Google Maps taking control of your application (or maybe you do?) so other recommendations to use the In App Browser plugin would recommended. It's only adding one plugin and using some javascript to open the window:
cordova.InAppBrowser.open('https://www.google.com/maps/dir/?api=1&origin=43.9815648,7.5328161&destination=41.802425,12.6021389', '_blank', 'location=yes');
You can't redirect your Cordova/PhoneGap view to a page hosted somewhere else (as opposed on your phone) for security reasons, so you have two options:
Use a Cordova/PhoneGap plugin for Google maps such as:
https://www.npmjs.com/package/cordova-plugin-googlemaps
Use the Cordova/PhoneGap in-app browser plugin to launch your map
in a full-screen browser window within your app:
https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/
Option #1 would be the preferred option.
If you want to launch the Google Maps app (as opposed to embed Google Maps in your app i.e. cordova-plugin-googlemaps), you can use the phonegap-launch-navigator plugin.
I'm reading through details on HTML5's app cache manifest (especially from this excellent article). I'm curious if this idea would work:
We host all of our static resources (scripts, css, fonts, images) on a CDN within a subdomain (e.g. cdn.example.com and app is on www.example.com). Is it possible to host the app cache manifest on the CDN as well? For example,
<!doctype html>
<html manifest="http://cdn.example.com/appcache.manifest">
...
<script src="http://cdn.example.com/foo.js"></script>
...
</html>
If yes, can the manifest listings be from the CDN root? For example, in the manifest:
CACHE MANIFEST
/foo.js
Does anyone have any experience with this and/or know of any caveats?
EDIT: The working draft of the WHATWG spec it says "Offline application cache manifests can use absolute paths or even absolute URLs" and then shows an example with CDN URLs for images.
I tested with my manifest (in real example)
CACHE MANIFEST
# 2010-06-20:v1
iscroll.js
http://peach.blender.org/wp-content/uploads/big_big_buck_bunny.jpg
It works to me... You can check you manifest with validator http://manifest-validator.com/.
W3C only says the document (HTML file that have manifest attribute) must be same origin source with the manifest, they don't tell URL of resources must be too... You should read it carefully (at here). I also found the cross-site URL in W3 example (check here), that means it works correctly...
Finally, DON'T TRY TO PUT MANIFEST FILES ON CDN, JUST PUT IT IN YOUR SERVER AND LINK RESOURCE TO CDN. Manifest files have to have the same origin as their master entries, which includes their HTML files, and the browser checks the manifest file to see if its list of HTML pages has changed, rather than checking your HTML page to see if it points to a different manifest file.
The cached contents must satisfy the same origin restriction and the origin for comparison is determined by the calling page (the HTML page). If all of the resources you are trying to cache have a different host name then according to the spec they should be rejected. So even if you could specify the manifest to be on the cdn and not your main host, the caching should fail.