I know that this may be just me being stupid, but in a Chrome tab that has a page loaded with a URL which begins with chrome-extension://, can the scripts be online or use eval();? I know that browser or page actin oopups or app windows can't use it. Part of my extension opens a normal new tab with a page which uses eval();.
All pages running at the chrome-extension:// origin are subject to a default content security policy described here, specifically:
script-src 'self'; object-src 'self'
A popup is considered such a page, too, as is the invisible background page. If you open a file from your extension, it will be subject to it too.
You can either:
Relax (or tighten) the default policy for all pages with your manifest:
"content_security_policy": "[POLICY STRING GOES HERE]"
This way you can allow eval and friends by adding 'unsafe-eval' to script-src.
You can also allow loading external scripts by adding their origin to the policy; however, only HTTPS origins are allowed for MitM protection reasons.
However, it's important to remember that 'unsafe-inline' will be ignored regardless of your custom policy.
Relax (or tighten) the default policy for a specific page by declaring it sandboxed.
"sandbox": {
"pages": [
"page1.html",
"directory/page2.html"
]
// content_security_policy is optional.
"content_security_policy":
"sandbox allow-scripts; script-src https://www.google.com"
],
Sandboxed CSP can be more permissive, but still there are a couple of restrictions.
The price of sandboxing is losing access to Chrome API. The sandboxed script has to communicate via DOM messages with some privileged pages to do privileged things.
There's a guide in the documentation, "Using eval in Chrome Extensions. Safely."
For Apps, the situation is a bit different. Again, a default (and more restrictive) CSP applies, but you cannot modify it in the manifest.
Sandboxing approach still works, though.
To use eval, look at the policy "unsafe-eval" in https://developer.chrome.com/extensions/contentSecurityPolicy
Related
Login form is blocked by CSP and I don't understand why
Chrome Version 94.0.4606.61
Error message :
Refused to send form data to
'https://subdomain.mydomain.com/login/local' because it
violates the following Content Security Policy directive: "form-action
'self' https: *.mydomain.com".
No problem with firefox
This is because during login you perform a redirect through the host-source whose is not allowed in the form-action directive (the port, the scheme, domain/subdomain name does not match).
When redirecting, the CSP checks the entire chain of sources, but browsers have differences in the behavior of form-action for redirects:
Chrome/Safari consider a redirect when submitting a form to be potentially dangerous, since sensitive user data can be redirected to an attacker's domain. Therefore, they block redirection if host-source (domain) not allowed in the form-actions are participate in the chain of redirects.
Firefox believes that the server redirect is under the control of the owner of the page protected in CSP. Therefore, during redirect it allows you to send the form during redirect even to third-party domains.
Note 1. 'self' means exact scheme://domain:port from the Url in the address bar. Therefore CSP:
form-action 'self' https: *.mydomain.com
In case Url is HTTPS://subdomain.mydomain.com the above CSP is become form-action HTTPS://subdomain.mydomain.com https: HTTPS://*.mydomain.com whis is equal to form-action https: - it allows anything except http:-Urls.
In case Url is HTTP://subdomain.mydomain.com, the above CSP is become form-action HTTP://subdomain.mydomain.com https: HTTP://*.mydomain.com and it does not allow a main domain mydomain.com.
Note 2. The Url https://subdomain.mydomain.com/login/local in the message:
Refused to send form data to 'https://subdomain.mydomain.com/login/local' because it violates ...`
is not Url really blocked by Chrome. This is just the first Url in the redirect chain.
Note 3. If CSP, after all, blocks the allowed domain, it is most likely that it's interference of browser extensions such as NoScript/uBlock/AdBlock/PrivacyBadger, etc. interfere.
I have this project which is an HTML page and wanted to load an HTTPS URL by iframe, How can I do so?
I get this error:
Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
any help would be much appreciated.
Sounds like you have a Content Security Policy defined for your app.
You need to add frame-src: https://www.google.com to the CSP header to allow iframes with that domain.
Since you have not defined a frame-src in the header, it is falling back to default-src, which doesn't specify the domain either, so it gets blocked.
I made a chrome extension that loads an iframe on the gmail url. So far so good!
When I install the extension it loads the I framed with no problems but here comes the problem. If I refresh or access gmail again it doesn't work anymore with the following error, and no other errors.
Refused to frame 'https://...........com/' because it violates the
following Content Security Policy directive: "frame-src 'self'
https://clients4.google.com/insights/consumersurveys/
https://calendar.google.com/accounts/ https://ogs.google.com
https://onegoogle-autopush.sandbox.google.com
https://accounts.google.com/ https://apis.google.com/u/
https://apis.google.com/_/streamwidgets/
https://clients6.google.com/static/
https://content.googleapis.com/static/
https://mail-attachment.googleusercontent.com/
https://www.google.com/calendar/ https://calendar.google.com/calendar/
https://docs.google.com/ https://drive.google.com
https://.googleusercontent.com/docs/securesc/
https://feedback.googleusercontent.com/resources/
https://www.google.com/tools/feedback/
https://support.google.com/inapp/
https://.googleusercontent.com/gadgets/ifr
https://hangouts.google.com/ https://talkgadget.google.com/
https://.talkgadget.google.com/
https://www-gm-opensocial.googleusercontent.com/gadgets/
https://plus.google.com/ https://wallet.google.com/gmail/
https://www.youtube.com/embed/
https://clients5.google.com/pagead/drt/dn/
https://clients5.google.com/ads/measurement/jn/
https://www.gstatic.com/mail/ww/ https://www.gstatic.com/mail/intl/
https://clients5.google.com/webstore/wall/
https://ci3.googleusercontent.com/ https://workspace.google.com/u/
https://workspace.google.com/marketplace/appfinder
https://gsuite.google.com/u/
https://gsuite.google.com/marketplace/appfinder
https://www.gstatic.com/mail/promo/ https://notifications.google.com/
https://tracedepot-pa.clients6.google.com/static/
https://staging-taskassist-pa-googleapis.sandbox.google.com
https://taskassist-pa.clients6.google.com
https://.prod.amp4mail.googleusercontent.com/
https://.client-channel.google.com/client-channel/client
https://clients4.google.com/invalidation/lcs/client
https://tasks.google.com/embed/ https://keep.google.com/companion
https://addons.gsuite.google.com
https://contacts.google.com/widget/hovercard/v/2
https://gsuite.google.com
https://.googleusercontent.com/confidential-mail/attachments/".
Now. You are wondering if I put the CSP in my header. The answer is yes. I have header("Content-Security-Policy: frame-src 'self' https://*.google.com;"); in my php and the header si loaded. But the question I can't answer is: Is Chrome seeing errors after the page refresh and why?
In theory if there is a problem in the CSP it should block the iframe from the first moment, and not after a while.
Do you know anything about this?
Refused to frame 'https://...........com/' because it violates the
following Content Security Policy directive: "frame-src 'self' ... Google's domains here ...
It's not your CSP, but some of Google's iframe publish its own. Because commonly Google does not allow to embed own into third-party.
Most interesting part: 'https://...........com/' is hidden (is here your domain or not?).
Is Chrome seeing errors after the page refresh and why?
Google's services based on a lot of it own iframes, wich inter each other based on Cookie.
For example, you can embed https://gmail.com into iframe, but if you are logged into account (have auth Cookies), Gmail does auto redirect you to https://mail.google.com/mail/u/0/ page which does not allow iframing (because of X-Frame-Options deny).
Behavior of iframes of Google could be very complicated, so a exact answer "Why" is not possible without detail researches.
Anyway embed of Google services (not officially intended for embedding) into iframe is not a good idea. Google does not allow that because of security.
I am implementing an OpenID Connect client web application. After the user is successfully authenticated in the identity provider, they are redirected back over to my web application. Once they arrive, depending on the value of some query parameters they are redirected to a URL. When the redirection occurs Chrome throws this error in the console:
Refused to send form data to 'https://my-domain-a.com/' because it violates the following Content Security Policy directive: "form-action 'self' https://my-domain-b.com/receive-token".
After some googling I tried adding a Content-Security-Policy header as:
content-security-policy: form-action 'self' https://my-domain-a.com
This does not seem to have any affect and I still receive this message.
I have 2 questions:
How do I fix this?
Why is Chrome throwing this error off of a 301 redirect?
After much googling (and profanity) I figured out why this is happening, as well as an (ugly) fix.
During my experiments, I noticed that all Chromium browser descendants (Chromium, Chrome, and Vivaldi) had this issue. Non-Chromium browser descendants (Firefox and Safari) did not. As it turns out, the identity provider was setting a content security policy directive of: form-action 'self' https://my-domain-b.com/receive-token. Since my browser was getting redirected from the identity provider to my-domain-b.com to my-domain-a.com the Chromium descendants flagged the redirect from my-domain-b.com to my-domain-a.com as violating the content security policy set by the identity provider. I unfortunately don't know the spec well enough to say which of the 2 behaviors exhibited by the different browsers is the most correct...
I fixed this issue by doing a somewhat ugly hack. Rather than doing a 301 redirect from my-domain-b.com to my-domain-a.com, I instead had my-domain-b.com render a simple HTML page that immediately submitted to my-domain-a.com:
<html><body onload="window.location='https://my-domain-a.com?my_param=my_value'"/></html>
This solution satisfied the Chromium descendants since there was no longer a redirect to an unrecognized domain. In my case relying on Javascript is acceptable as the site the user is redirected to is an Angular app, so the user must have Javascript enabled.
I am trying to load the google map inside my chrome extension using the following CSP defined in manifest.json
"content_security_policy": "script-src 'self' 'unsafe-eval' https://maps.googleapis.com/ https://ssl.google-analytics.com; object-src 'self'"
It's working fine, now I converted my extension to Microsoft edge extension. and the overall code works except Content security policy block the resources download by google map. Below are the errors. Can anyone correct me if I'm doing wrong?
CSP14312: Resource violated directive ‘script-src 'self'’ in Host Defined Policy: https://maps.googleapis.com/maps/api/js?key=ID. Resource will be blocked.
The error code didn't find any helpful resource.
I didn't find the correct solution till now. However, I found the Alternative approach to integrate the google map inside the Microsoft Edge extension. that Embed the iframe inside the extension.
<iframe width="100%" height="100%" frameborder="0" style="border:0"src="https://www.google.com/maps/embed/v1/place?q=40.7127837,-74.0059413&;key=ID"></iframe>