I'm trying to develop a Chrome extension that provides translation of meeting audio using Microsoft speech translation api. So far I've been able to integrate the api into my content script and trigger the translation process. But I'm getting the following errors right after
Refused to
create a worker from
'blob:https://meet.google.com/64dd2a91-68d8-4dad-a670-b2f60802b7b0'
because it violates the following Content Security Policy directive:
"worker-src 'self'".
Refused to create a worker from
'blob:https://meet.google.com/64dd2a91-68d8-4dad-a670-b2f60802b7b0'
because it violates the following Content Security Policy directive:
"script-src 'nonce-2I2d8Ck8M1aHt/5Ka0zUQQ' 'unsafe-eval' 'self'
https://apis.google.com https://ssl.gstatic.com https://www.google.com
https://www.gstatic.com https://www.google-analytics.com
https://youtube.googleapis.com https://youtube.com https://s.ytimg.com
https://www.youtube.googleapis.com". Note that 'worker-src' was not
explicitly set, so 'script-src' is used as a fallback.
Following is my manifest file..
{
"name" : "Meeting Translator",
"description" : "Real time audio to text translation",
"version" : "0.0.1",
"manifest_version" : 2,
"browser_action" : {
"default_popup" : "popup.html",
"default_icon": {
...
}
},
"icons" : {
...
},
"background" : {
"scripts" : ["background.js"],
"persistent" : false
},
"content_scripts" : [
{
"matches" : ["https://meet.google.com/*","http://meet.google.com/*"],
"js" : [
"js/microsoft.cognitiveservices.speech.sdk.bundle.js",
"js/socket.io.min.js",
"js/content.js"
]
}
],
"permissions" : ["tabs","contentSettings", "storage", "pageCapture"],
"content_security_policy" : "script-src 'self'; script-src-elem 'self' data: blob:; worker-src 'self' data: blob:; object-src 'self'"
}
This is my first try in extension building. Any help is much appreciated.
ps: if anyone can please explain or refer easy material to understand CSP better.
Related
This is my manifest file -
{
"manifest_version": 3,
"name": "Title",
"version": "1.0",
"description": "Description",
"action": {
"default_title": "Title",
"default_popup": "popup.html"
},
"content_security_policy": {
"script-src": [
"'self'",
"https://use.fontawesome.com/9cd1c736ac.js"
],
"object-src": "self"
},
"web_accessible_resources": [
{
"resources": [
"botScript.js"
],
"matches": [],
"extension_ids": []
}
],
"icons": {
"16": "icons/icon16.png",
"32": "icons/icon32.png",
"48": "icons/icon48.png",
"128": "icons/icon128.png"
}
}
The following is for manifest version-2 and doesn't work for version-3:
"content_security_policy": "script-src 'self' https://example.com ; object-src 'self'",
And I have tried the following variations as well -
"content_security_policy": {
"script-src": "'self' https://use.fontawesome.com/9cd1c736ac.js",
"object-src": "self"
}
"content_security_policy": {
"script-src": "self",
"script-src-elem": "https://use.fontawesome.com/9cd1c736ac.js",
"object-src": "self"
},
The documentation says
Manifest V3 does not allow remote URLs in script-src of extension_pages.
So, does this mean, we can't use any external script in V3 at all?
Also, I get the following error:
Refused to load the script 'https://use.fontawesome.com/9cd1c736ac.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
You are not allowed to reference an external JavaScript in the Manifest V3 Chrome extension. If you publish it to the Chrome Web Store, the team will reject that update.
In Manifest V3, all of your extension's logic must be included in the
extension. You can no longer load and execute a remotely hosted file.
Source: https://developer.chrome.com/docs/extensions/mv3/mv3-migration/#:~:text=In%20Manifest%20V3%2C%20all%20of%20your%20extension%27s%20logic%20must%20be%20included%20in%20the%20extension.%20You%20can%20no%20longer%20load%20and%20execute%20a%20remotely%20hosted%20file.
In the "Migrating to Manifest v3" article, it says that the directives, one of them being script-src, may have "only the following values" which then goes on to list "self" however I used that in my code and I still got the error "
'content_security_policy.extension_pages': Insecure CSP value "https://js.pusher.com/4.2/pusher.min.js" in directive 'script-src'."
{
"manifest_version": 3,
"name": "Real-time NFL score",
"version": "1.0",
"description": "A simple Chrome extension to simulate the NFL scores in real-time",
"content_security_policy": {
"extension_pages": "script-src 'self' https://js.pusher.com/4.2/pusher.min.js https://stats.pusher.com; object-src 'self'"
},
"action": {
"default_icon": "./img/icon.png",
"default_popup": "popup.html"
},
"permissions": ["notifications", "activeTab"]
}
I am migrating to manifest v3, I added all needed content security policy to manifest.json file. However I received the following error :
EvalError: Refused to evaluate a string as JavaScript because
unsafe-eval is not an allowed source of script in the following
Content Security Policy directive: script-src self.
at eval ()
at inboxsdk.js:1177
manifest.json :
"content_scripts": [
{
"all_frames": false,
"css": [ "css/content.css", "style.css", "css/buttons.css" ],
"include_globs": [ "*://mail.google.*/*" ],
"js": [ "resources/jquery-3.3.1/jquery-3.3.1.min.js", "js/api.js", "js/inpage.js", "js/menus.js", "js/content.js", "js/background.js", "lib/q.js", "js/inboxsdk.js", "js/app.js" ],
"matches": [ "*://*/*", "<all_urls>" ],
"run_at": "document_start"
},
"manifest_version": 3,
"content_security_policy": {
"extension_pages":" object-src 'self'",
"sandbox": "sandbox allow-scripts; https://apis.google.com https://apis.google.com/js/client.js https://ajax.googleapis.com https://designshack.net/favicon.ico https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js https://aui-cdn.atlassian.com https://netdna.bootstrapcdn.com https://tarruda.github.com https://cdnjs.cloudflare.com https://ydn-src-2.storage.googleapis.com https://www.google.com/ ; default-src 'self'; object-src 'self'"
},
Please update your "extension_pages":" object-src 'self'", with the below line of code
"extension_pages":"script-src 'self'; object-src 'self'",
I have background JS script, has written on Angular 2. When I run extension I have got this permission notification:
compiler.js:34069 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:".
manifestfile is:
{
"manifest_version": 2,
"name": "Getting started example",
"description": "This extension allows the user to change the background color of the current page.",
"version": "1.0",
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",
"browser_action": {
"default_icon": "icon.png",
"default_popup": "index.html",
"default_title": "Click here!"
},
"permissions": [
"activeTab",
"storage"
]
}
Which changes I should do?
I am creating a google chrome extension that uses google earth.
I have added the following to my manifest:
{
"name": "Calculator",
"description": "A simple calculator.",
"manifest_version": 2,
"minimum_chrome_version": "23",
"version": "1.3.2",
"app": {"background": {"scripts": ["model.js", "view.js", "controller.js"]}},
"icons": {
"16": "images/icon-16x16.png",
"128": "images/icon-128x128.png"
},
"content_security_policy": "script-src 'self' https://www.google.com/jsapi; https://www.google.com/uds/?file=earth&v=1; https://www.google.com/uds/api/earth/1.0/109c7b2bae7fe6cc34ea875176165d81/default.I.js; object-src 'self'",
"permissions": [
"storage",
"https://*.google.com/"
]
}
Even still, when I run my extension, I get the following errors:
Refused to load the script 'https://www.google.com/jsapi' because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the script 'https://www.google.com/uds/?file=earth&v=1' because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the script 'https://www.google.com/uds/api/earth/1.0/109c7b2bae7fe6cc34ea875176165d81/default.I.js' because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
The URLs in your CSP should be seperated by spaces, not semicolons. Semicolons are used to separate directives.
Cf https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#syntax-and-algorithms:
A CSP policy consists of a U+003B SEMICOLON (;) delimited list of directives:
policy = [ directive *( ";" [ directive ] ) ]
So your CSP should read:
"content_security_policy": "script-src 'self' https://www.google.com/jsapi https://www.google.com/uds/?file=earth&v=1 https://www.google.com/uds/api/earth/1.0/109c7b2bae7fe6cc34ea875176165d81/default.I.js; object-src 'self'"