Content-Security-Policy in Chrome 14 and extension not working

468 views
Skip to first unread message

Ol

unread,
Jul 28, 2011, 7:53:21 AM7/28/11
to Chromium-extensions
Hi,

I have an extension which works fine in Chrome 12, however when trying
it in Chrome 14 canary I get:

- Refused to execute inline script because of Content-Security-
Policy.
- Refused to execute inline event handler because of Content-Security-
Policy

I've tried the following in the manifest
- not having anything
- having "content_security_policy": "default-src *",

The blog post on the subject [1] does not imply that it's mandatory
but rather optional as well.

Any help / pointers to existing known issues appreciated.

Cheers

Ol
[1] http://blog.chromium.org/2011/07/writing-extensions-more-securely.html

Boris Smus

unread,
Jul 28, 2011, 3:51:03 PM7/28/11
to Ol, Chromium-extensions
Hi Ol,

Could you provide your code (or ideally, a reduced case)? Specifically, do you load external resources and make XHRs?

Thanks,
- Boris


--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.


Adam Barth

unread,
Jul 28, 2011, 3:51:46 PM7/28/11
to Ol, Chromium-extensions
content_security_policy isn't mandatory. Would you be willing to
share a simple example extension that demonstrates the issue?

Note: "default-src *" does block inline scripts and events. You can
use this policy to allow them:

default-src * 'unsafe-inline'

Adam


On Thu, Jul 28, 2011 at 4:53 AM, Ol <o...@uncon.org> wrote:

Ol

unread,
Jul 28, 2011, 4:47:26 PM7/28/11
to Chromium-extensions
Adam,

> Note: "default-src *" does block inline scripts and events.  You can
> use this policy to allow them:
>
> default-src * 'unsafe-inline'

This fixed the issue thanks. I note that this also worked in my case:
"content_security_policy": "default-src 'self' 'unsafe-inline'"

Adam & Boris,

I'll make a test case tomorrow if I get time, worse case it might be
the weekend. My code does the following
- access cookies
- access HTTP headers via XHR

Cheers

Ol

contentsecuritypolicyhell?

unread,
May 10, 2012, 1:44:22 PM5/10/12
to chromium-...@chromium.org, Ol
re: default-src * 'unsafe-inline'  to enable inline scripts and events

in manifest.json, using "default-src * 'unsafe-inline'" for the value of "content_security_policy", I can't even load my extension because google complains of "invalid value for content security policy" in manifest.json, right off the bat. am i missing something? perhaps something has changed since june 28, 2011...
Reply all
Reply to author
Forward
0 new messages