Hi,
I am facing an issue with CSP in my extension...
I use a content script in order to change images on websites. My
content script was
adding his own images to websites so I had the following warning :
[Report Only] Refused to load image from 'chrome://extension/xxx/...'
because of Content-Security-Policy.
The page at
https://plus.google.com/u/0/hot displayed insecure content
from chrome://extension/xxx/....
So I added the following line to my manifest :
"content_security_policy": "default-src *"
and the warning disappeared...
Now, I need to modify images, to do that, I write them to a canvas,
get the dataURL and convert it into a WebkitBlobBuilder to avoid the
memory leak due to src change on img tag (with a blob, I can
revoke it once it has been used and it freed the memory...)
Part of the code :
//Code to create a blob from dataURI
base.dataURItoBlob = function(dataURI, callback) {
var byteString;
if (dataURI.split(',')[0].indexOf('base64') >= 0)
byteString = atob(dataURI.split(',')[1]);
else
byteString = unescape(dataURI.split(',')[1]);
var mimeString = dataURI.split(',')[0].split(':')[1].split(';')
[0]
var ab = new ArrayBuffer(byteString.length);
var ia = new Uint8Array(ab);
for (var i = 0; i < byteString.length; i++) {
ia[i] = byteString.charCodeAt(i);
}
var bb = new WebKitBlobBuilder();
bb.append(ab);
return bb.getBlob(mimeString);
};
//Code to display the blob on an image :
//Write image on a canvas :
base.ctx.putImageData(cData, img.leftPos, img.topPos);
//Get a blob
var blobData = base.dataURItoBlob(base.canvas.toDataURL("image/
png"));
//Create an URL from the blob
var urlfile = window.webkitURL.createObjectURL(dataBlob);
//set it on the img tag
img.attr("src", urlfile);
//Revoke the blob once loaded
img.load(function() {
window.webkitURL.revokeObjectURL(urlfile);
});
This code works great.... There is no more memory leak due to src
change on my img tag.
BUT I have this warning :
[Report Only] Refused to load image from 'blob:https%3A%2F
%
2Fplus.google.com/52ac1648-64d6-4fce-bb35-537d939d5007' because of
Content-Security-Policy.
The page at
https://plus.google.com/u/0/hot displayed insecure content
from blob:https%3A%2F%
2Fplus.google.com/52ac1648-64d6-4fce-
bb35-537d939d5007.
Why does the default-src from content policy does not applied to
blobs ??
Thanks !