I have background JS script, has written on Angular 2. When I run extension I have got this permission notification:
compiler.js:34069 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:".
manifestfile is:
{
"manifest_version": 2,
"name": "Getting started example",
"description": "This extension allows the user to change the background color of the current page.",
"version": "1.0",
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",
"browser_action": {
"default_icon": "icon.png",
"default_popup": "index.html",
"default_title": "Click here!"
},
"permissions": [
"activeTab",
"storage"
]
}
Which changes I should do?
Related
This is my manifest file -
{
"manifest_version": 3,
"name": "Title",
"version": "1.0",
"description": "Description",
"action": {
"default_title": "Title",
"default_popup": "popup.html"
},
"content_security_policy": {
"script-src": [
"'self'",
"https://use.fontawesome.com/9cd1c736ac.js"
],
"object-src": "self"
},
"web_accessible_resources": [
{
"resources": [
"botScript.js"
],
"matches": [],
"extension_ids": []
}
],
"icons": {
"16": "icons/icon16.png",
"32": "icons/icon32.png",
"48": "icons/icon48.png",
"128": "icons/icon128.png"
}
}
The following is for manifest version-2 and doesn't work for version-3:
"content_security_policy": "script-src 'self' https://example.com ; object-src 'self'",
And I have tried the following variations as well -
"content_security_policy": {
"script-src": "'self' https://use.fontawesome.com/9cd1c736ac.js",
"object-src": "self"
}
"content_security_policy": {
"script-src": "self",
"script-src-elem": "https://use.fontawesome.com/9cd1c736ac.js",
"object-src": "self"
},
The documentation says
Manifest V3 does not allow remote URLs in script-src of extension_pages.
So, does this mean, we can't use any external script in V3 at all?
Also, I get the following error:
Refused to load the script 'https://use.fontawesome.com/9cd1c736ac.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
You are not allowed to reference an external JavaScript in the Manifest V3 Chrome extension. If you publish it to the Chrome Web Store, the team will reject that update.
In Manifest V3, all of your extension's logic must be included in the
extension. You can no longer load and execute a remotely hosted file.
Source: https://developer.chrome.com/docs/extensions/mv3/mv3-migration/#:~:text=In%20Manifest%20V3%2C%20all%20of%20your%20extension%27s%20logic%20must%20be%20included%20in%20the%20extension.%20You%20can%20no%20longer%20load%20and%20execute%20a%20remotely%20hosted%20file.
In the "Migrating to Manifest v3" article, it says that the directives, one of them being script-src, may have "only the following values" which then goes on to list "self" however I used that in my code and I still got the error "
'content_security_policy.extension_pages': Insecure CSP value "https://js.pusher.com/4.2/pusher.min.js" in directive 'script-src'."
{
"manifest_version": 3,
"name": "Real-time NFL score",
"version": "1.0",
"description": "A simple Chrome extension to simulate the NFL scores in real-time",
"content_security_policy": {
"extension_pages": "script-src 'self' https://js.pusher.com/4.2/pusher.min.js https://stats.pusher.com; object-src 'self'"
},
"action": {
"default_icon": "./img/icon.png",
"default_popup": "popup.html"
},
"permissions": ["notifications", "activeTab"]
}
I am migrating to manifest v3, I added all needed content security policy to manifest.json file. However I received the following error :
EvalError: Refused to evaluate a string as JavaScript because
unsafe-eval is not an allowed source of script in the following
Content Security Policy directive: script-src self.
at eval ()
at inboxsdk.js:1177
manifest.json :
"content_scripts": [
{
"all_frames": false,
"css": [ "css/content.css", "style.css", "css/buttons.css" ],
"include_globs": [ "*://mail.google.*/*" ],
"js": [ "resources/jquery-3.3.1/jquery-3.3.1.min.js", "js/api.js", "js/inpage.js", "js/menus.js", "js/content.js", "js/background.js", "lib/q.js", "js/inboxsdk.js", "js/app.js" ],
"matches": [ "*://*/*", "<all_urls>" ],
"run_at": "document_start"
},
"manifest_version": 3,
"content_security_policy": {
"extension_pages":" object-src 'self'",
"sandbox": "sandbox allow-scripts; https://apis.google.com https://apis.google.com/js/client.js https://ajax.googleapis.com https://designshack.net/favicon.ico https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js https://aui-cdn.atlassian.com https://netdna.bootstrapcdn.com https://tarruda.github.com https://cdnjs.cloudflare.com https://ydn-src-2.storage.googleapis.com https://www.google.com/ ; default-src 'self'; object-src 'self'"
},
Please update your "extension_pages":" object-src 'self'", with the below line of code
"extension_pages":"script-src 'self'; object-src 'self'",
I'm trying to develop a Chrome extension that provides translation of meeting audio using Microsoft speech translation api. So far I've been able to integrate the api into my content script and trigger the translation process. But I'm getting the following errors right after
Refused to
create a worker from
'blob:https://meet.google.com/64dd2a91-68d8-4dad-a670-b2f60802b7b0'
because it violates the following Content Security Policy directive:
"worker-src 'self'".
Refused to create a worker from
'blob:https://meet.google.com/64dd2a91-68d8-4dad-a670-b2f60802b7b0'
because it violates the following Content Security Policy directive:
"script-src 'nonce-2I2d8Ck8M1aHt/5Ka0zUQQ' 'unsafe-eval' 'self'
https://apis.google.com https://ssl.gstatic.com https://www.google.com
https://www.gstatic.com https://www.google-analytics.com
https://youtube.googleapis.com https://youtube.com https://s.ytimg.com
https://www.youtube.googleapis.com". Note that 'worker-src' was not
explicitly set, so 'script-src' is used as a fallback.
Following is my manifest file..
{
"name" : "Meeting Translator",
"description" : "Real time audio to text translation",
"version" : "0.0.1",
"manifest_version" : 2,
"browser_action" : {
"default_popup" : "popup.html",
"default_icon": {
...
}
},
"icons" : {
...
},
"background" : {
"scripts" : ["background.js"],
"persistent" : false
},
"content_scripts" : [
{
"matches" : ["https://meet.google.com/*","http://meet.google.com/*"],
"js" : [
"js/microsoft.cognitiveservices.speech.sdk.bundle.js",
"js/socket.io.min.js",
"js/content.js"
]
}
],
"permissions" : ["tabs","contentSettings", "storage", "pageCapture"],
"content_security_policy" : "script-src 'self'; script-src-elem 'self' data: blob:; worker-src 'self' data: blob:; object-src 'self'"
}
This is my first try in extension building. Any help is much appreciated.
ps: if anyone can please explain or refer easy material to understand CSP better.
Is it possible to open your chrome extension on a new tab? I would like to be able to create a chrome browser that has same approach like the bookmark manager. See figure 1.0 below
I would like my application to like/have an address
chrome://personalize_calendar_stuff
is that possible? I can't find on the manifest references.
Thanks to #wOxxOm for giving me an idea.
I added this script on my index.js
chrome.browserAction.onClicked.addListener(function(){
chrome.tabs.create({url: "main.html"});
})
and on below is an example of manifest file I used.
{
"name" : "Testing Chrome",
"version": "1.0",
"background":
{
"scripts": ["index.js"]
},
"description": "A testing example app",
"permissions":[
"tabs",
],
"content_security_policy": "script-src 'self'; object-src 'self'",
"browser_action": {
"default_title": "testing chtome",
"default_icon": "icon.png"
},
"manifest_version": 2
}