Content Security Policy and GWT RPC

[zorro]

I created a chrome extension. I intend to serve online data for this extension through GWT RPC. The two projects are finished and I can not make GWT RPC run from the extension. I fiddled with the CSP, now it looks like: "content_security_policy": "script-src 'self' https://www.BLABLA.com; object-src 'self'; frame-src about:". 

I am 'done' at this point since I am getting errors in console wiothout any line numbers.

Refused to execute inline script because of Content-Security-Policy.

Refused to execute JavaScript URL because of Content-Security-Policy.

13Refused to execute inline script because of Content-Security-Policy.

The thing is that GWT runs in an iframe, also injects some <script>s and probably alot of stuf I have no idea about.

How should I proceed? Is there any chance to fix this?

Or sould I rather give up? (I really like conceptualy my design, dont want to give it up;-)

[PhistucK]

If you download the canary build, I think it might be able to show you line numbers.

I think I saw a recent change that enabled that for Content-Security-Policy errors.

☆PhistucK

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/-/BwOzptUsq40J.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.

[zorro]

Thanks PhistucK, I'll maybe try that. 

So far, I added   <add-linker name="xsiframe" /> to my GWT module and managed to get number of error messages to 2.

There is still something wrong with the CSP.

Dne čtvrtek, 17. května 2012 13:42:23 UTC+2 zorro napsal(a):

[zorro]

I am compiling GWT to one script, without using iframes to avoid issues of manifest 2, therefore using only one GWT module (cause no iframes). I am not using GWT for the whole app. Under conditions I have just described it works sufficiently good for me even with manifest 2.

On Thursday, January 24, 2013 6:17:23 AM UTC+1, Adolfo Rodriguez wrote:

Anyone else trying to make a GWT/GXT app working as a Chrome Extension?

I followed this tutorial and client side worked fine with the GWT demo app in Eclipse plugin out of the box. However, I am unable to make RPC to work and reach the servlet. I am working with version 2 of manifest.

Any successful experience?

Thanks

[Adolfo Rodriguez]

Here is a good example where the client side works out of the box for the GWT sample app created by Eclipse GWT plugin.

http://hello-its-crazy.blogspot.com/2012/10/developing-chrome-extensions-using-gwt.html

It would be great to know what is needed to add in the manifest.json to make also work the GWT RPC and therefore the server side.

Does anyone know what permission is needed in the manifest for this task?

Thanks.

[Adolfo Rodriguez]

more on this, I have found that the console throws the following error:

Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".

On the other hand, is true that sample app created by GWT Eclipse plugin contains an iframe (as commented by zorro) in its unique html file. 

Here it is:

<html>

  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">

    <link type="text/css" rel="stylesheet" href="SampleChromePlugin.css">

    <title>Web Application Starter Project</title>

    <script type="text/javascript" language="javascript" src="samplechromeplugin/samplechromeplugin.nocache.js"></script>

  </head>

  <body>

    <iframe src="javascript:''" id="__gwt_historyFrame" tabIndex='-1' style="position:absolute;width:0;height:0;border:0"></iframe>

    <noscript>

      <div style="width: 22em; position: absolute; left: 50%; margin-left: -11em; color: red; background-color: white; border: 1px solid red; padding: 4px; font-family: sans-serif">

        Your web browser must have JavaScript enabled

        in order for this application to display correctly.

      </div>

    </noscript>

    <h1>Web Application Starter Project</h1>

    <table align="center">

      <tr>

        <td colspan="2" style="font-weight:bold;">Please enter your name:</td>        

      </tr>

      <tr>

        <td id="nameFieldContainer"></td>

        <td id="sendButtonContainer"></td>

      </tr>

      <tr>

        <td colspan="2" style="color:red;" id="errorLabelContainer"></td>

      </tr>

    </table>

  </body>

</html>

 Which changes should I do to fix previous error?

[Adolfo Rodriguez]

Bit of progress. 

By removing the inline script it does not thrown the error anymore:

     <iframe src="javascript:''" id="__gwt_historyFrame" tabIndex='-1' style="position:absolute;width:0;height:0;border:0"></iframe>

so replace it by:

     <iframe id="__gwt_historyFrame" tabIndex='-1' style="position:absolute;width:0;height:0;border:0"></iframe>

but still is not able to connect to server probably because the iframe. 

The issue is how to remove the iframe in the demo Eclipse app or invoke it with HTTPS as described:

here: http://developer.chrome.com/extensions/contentSecurityPolicy.html#H2-3 

and here: http://stackoverflow.com/questions/6370919/how-to-enable-https-in-gwts-jetty

[Adolfo Rodriguez]

not the iframe either. Attending to the comment:

    <!-- OPTIONAL: include this if you want history support -->

    <iframe src="javascript:''" id="__gwt_historyFrame" tabIndex='-1' style="position:absolute;width:0;height:0;border:0"></iframe>

the whole line could be removed. Sample app still works from the browser but Chrome Extension remains complaining:

Sending name to the server:

GWT User

Server replies:

An error occurred while attempting to contact the server. Please check your network connection and try again.

with no exceptions. :-(