Re: [crx] CSP and context menus
31 views
Skip to first unread message
Mihai Parparita
Sep 25, 2012, 11:41:21 AM9/25/12
to johnjbarton, chromium-...@chromium.org
Are you setting a custom content_security_policy value in your manifest? The CSP directive that's displayed forbids XHRs to all remote hosts (default-src is used for all HTTP requests, in the absence of a more specific connect-src directive).
Mihai
On Mon, Sep 24, 2012 at 7:53 PM, johnjbarton <johnj...@johnjbarton.com> wrote:
I have some background page code that uses XHR for cross site access. It works when called from an extension page. I tried calling it from an extension-defined context menu item. I get:Refused to connect to 'http://google.com/' because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension://mpbflbdfncldfbjicfcfbaikknnbfmae chrome-extension-resource: ".Why?jjb--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/-/dmk18xq81fEJ.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
John J Barton
Sep 25, 2012, 11:46:30 AM9/25/12
to Mihai Parparita, chromium-...@chromium.org, mk...@chromium.org
In that case the documentation page:
http://developer.chrome.com/extensions/xhr.html
omits critical information.
jjb
http://developer.chrome.com/extensions/xhr.html
omits critical information.
jjb
Mihai Parparita
Sep 25, 2012, 11:51:28 AM9/25/12
to John J Barton, chromium-...@chromium.org, mk...@chromium.org
Adam Barth
Sep 25, 2012, 12:02:29 PM9/25/12
to John J Barton, Mihai Parparita, Chromium-extensions, mk...@chromium.org
I'm not sure whether you've figured this out form this thread, but you
probably want to add connect-src * to your content_security_policy:
default-src 'self'; connect-src *
Adam
probably want to add connect-src * to your content_security_policy:
default-src 'self'; connect-src *
Adam
John J Barton
Sep 25, 2012, 2:24:29 PM9/25/12
to Adam Barth, Mihai Parparita, Chromium-extensions, mk...@chromium.org
On Tue, Sep 25, 2012 at 9:02 AM, Adam Barth <aba...@chromium.org> wrote:
> I'm not sure whether you've figured this out form this thread,
I'm not sure you meant that to be funny, but it is ;-)
> I'm not sure whether you've figured this out form this thread,
> but you
> probably want to add connect-src * to your content_security_policy:
>
> default-src 'self'; connect-src *
The CSP configuration is looking like a contender for
least-dev-friendly API of the year.
"Putting all_of_the 'fields' into 'one long-string'; 'makes' 'human
parsing' on finite-length' lines more difficult; having 'some' fields
'override-other-fields' adds to the_confusion; but the 'topper' is
implicit_platform_dependent 'restrictions';
Note that if the sample
Content Script Cross-Domain XMLHttpRequest Example
on
http://developer.chrome.com/extensions/samples.html
is updated to manifest_version 2 and https, then it works. This is
confusing because it relies on the default CSP having a default-src
that works. (I guess).
jjb
Adam Barth
Sep 25, 2012, 6:09:17 PM9/25/12
to John J Barton, Mihai Parparita, Chromium-extensions, mk...@chromium.org
On Tue, Sep 25, 2012 at 11:24 AM, John J Barton
<johnj...@johnjbarton.com> wrote:
> On Tue, Sep 25, 2012 at 9:02 AM, Adam Barth <aba...@chromium.org> wrote:
>> I'm not sure whether you've figured this out form this thread,
>
> I'm not sure you meant that to be funny, but it is ;-)
I figured you hadn't, but I didn't want make an assumption.
<johnj...@johnjbarton.com> wrote:
> On Tue, Sep 25, 2012 at 9:02 AM, Adam Barth <aba...@chromium.org> wrote:
>> I'm not sure whether you've figured this out form this thread,
>
> I'm not sure you meant that to be funny, but it is ;-)
>> but you
>> probably want to add connect-src * to your content_security_policy:
>>
>> default-src 'self'; connect-src *
>
> That worked, thanks!
>
> The CSP configuration is looking like a contender for
> least-dev-friendly API of the year.
>
> "Putting all_of_the 'fields' into 'one long-string'; 'makes' 'human
> parsing' on finite-length' lines more difficult; having 'some' fields
> 'override-other-fields' adds to the_confusion; but the 'topper' is
> implicit_platform_dependent 'restrictions';
an HTTP header on the broader web. If this were an extension-only
feature, we'd probably use a more structured syntax. We thought about
having a more extension-developer friendly syntax, but it seemed like
this approach was better in the long term, especially for developers
who will interact with CSP both in the extension system and in the
broader web.
Unfortunately, we're fairly locked into the syntax of CSP at this
point because Firefox and other browser vendors have implemented it
already. I do appreciate your feedback, though. At the very least,
it's useful to us in designing future APIs.
> Note that if the sample
> Content Script Cross-Domain XMLHttpRequest Example
> on
> http://developer.chrome.com/extensions/samples.html
> is updated to manifest_version 2 and https, then it works. This is
> confusing because it relies on the default CSP having a default-src
> that works. (I guess).
XMLHttpRequest. The issue arises when you override the default policy
and include the default-src directive, which does restrict
XMLHttpRequest.
Reply all
Reply to author
Forward
0 new messages