Chrome extensions subject to trusted type restrictions?
1,697 views
Skip to first unread message
Erek Speed
Feb 28, 2022, 8:48:10 PM2/28/22
to Chromium-extensions
Hi all,
Recently some users have reported my (MV2) extension not working on Google Docs which I can't reproduce. But one user was able to report errors in the console like so:
"VM290:27 This document requires 'TrustedScript' assignment." and "Trusted Type expected, but String received"
"VM290:27 This document requires 'TrustedScript' assignment." and "Trusted Type expected, but String received"
Trusted types explainer: https://web.dev/trusted-types/
For my extension to work on Google Docs it does have an early running content script which injects a script tag into `document.head`. In general, this seems like it could cause the error but I can't see anything on the net about people complaining about this.
Has anybody run across this?
I'll experiment with creating a trusted script policy among other things later but thought I'd send a note here in case someone had ideas while I was at my day job. :)
Cheers,
Erek
Erek
Simeon Vincent
Mar 1, 2022, 12:43:32 AM3/1/22
to Erek Speed, Chromium-extensions
Yep, for the most part extensions are subject to the same security restrictions as other web content.
Google Workspace has the concept of release tracks; it's possible that the people encountering trusted types errors with your extension are on the Rapid Release track rather than the standard Scheduled Release track. I'm guessing that the rapid track is serving Docs with a require-trusted-types-for CSP header.
Take a look at the TrustedHTML page on MDN for an example of how to create a Trusted Types policy (a specialized constructor) to create Trusted Type instances. In that example they only show using createHTML to generate a TrustedHTML instance, but the same approach applies to TrustedScript and TrustedScriptURL.
Simeon - @dotproto
Chrome Extensions DevRel
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAJmsamTcix_HGpFPonZdSxuDgzxVOiPQNDv8esZvoaATqK_DEw%40mail.gmail.com.
Erek Speed
Mar 1, 2022, 5:41:22 AM3/1/22
to Simeon Vincent, Chromium-extensions
Thanks Simeon for the answer.
Unfortunately, it seems like TrustedTypes enforcement isn't the cause of my extension's problems. I forced `require-trusted-types-for` using ModHeader and my extension worked fine (and in fact Google Docs doesn't show any CSP errors).
Unfortunately, it seems like TrustedTypes enforcement isn't the cause of my extension's problems. I forced `require-trusted-types-for` using ModHeader and my extension worked fine (and in fact Google Docs doesn't show any CSP errors).
My summary was probably too vague but I think that since I set the script textContent from the content scripts isolated world and modify the DOM (by appending script to document.head) from the content script, it doesn't interact with the host page's CSP. (See below for full example of my content script)
The fact that the user saw the error at all might mean they have some other extensions modifying the page causing conflicts in some way so I'll reach out in the support tab thread. (Side note, it'd be great if we got proper markdown support when replying to support requests but even preserving newlines would help readability a lot!)
Thanks,
Erek
Erek
Content script for reference:
const injectedCode = `(function() {console.log('hi');})();`;
const script = document.createElement('script');
script.textContent = injectedCode;
(document.head || document.documentElement).appendChild(script);
script.remove();Reply all
Reply to author
Forward
0 new messages