Can declarativeNetRequest API Modify CSP headers ??

[Jeremiah Oluwakoya]

Hi .. I'm currently developing an extension to injects audio elements into a page using the content script, but request to the audio URL keeps getting blocked by the sites CSP. 

In Manifest V2 I was able to bypass the CSP of the page with the help of the WebRequest and WebRequest Blocking API. I find that I am unable to do this with declarativeNetRequest API. What is the reason for this, and is there a workaround ??.

[Deco]

The WebRequest API within Manifest V3 is not supported with declarativeNetRequest. Instead you can do this directly within DNR, specifically please see modifyHeaders section within the documentation: https://developer.chrome.com/docs/extensions/reference/declarativeNetRequest/

Cheers,

Decklin

On Mon, 16 Jan 2023, 07:56 Jeremiah Oluwakoya, <mayjr...@gmail.com> wrote:

Hi .. I'm currently developing an extension to injects audio elements into a page using the content script, but request to the audio URL keeps getting blocked by the sites CSP. 

In Manifest V2 I was able to bypass the CSP of the page with the help of the WebRequest and WebRequest Blocking API. I find that I am unable to do this with declarativeNetRequest API. What is the reason for this, and is there a workaround ??.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/ace91c47-323b-40be-86b1-f07aa020e3cbn%40chromium.org.

[wOxxOm]

declarativeNetRequest doesn't provide a way to patch an existing header e.g. replace or append parts of it. You can only remove the header or override it entirely with your own value. An alternative solution is to play the audio inside a web_accessible_resources iframe added to the web page.

[Jeremiah Oluwakoya]

@Declin .. yes i have done that. I've set up rules to modify the CSP header, but nothing happens still. at first I thought the rule was incorrect, so I tried using the same parameters (urlfilter & domian) on a block action rule and it was successful.

here is a snippet of the rule:

[

    {

        "id" : 1,

        "priority": 1,

        "action" : {

            "type" : "modifyHeaders",

            "responseHeaders": [

                {

                    "header": "content-security-policy",

                    "operation": "append",

                    "value": "media-src https://firebasestorage.googleapis.com/"

                }

            ]

        },

        "condition" : {

            "urlFilter" : "firebasestorage",

            "domains" : ["github.com"],

            "resourceTypes" : ["media"]

        }

    }

]

Do you have an insight into what the problem might be??  

[Jeremiah Oluwakoya]

@w0xx0m Thanks for the alternative insight, i'll try experimenting with that.

[wOxxOm]

Hmm, I don't remember if DNR actually supports appending to remote response headers so the added part may be ignored because the specification says the subsequent CSP definitions can only be more restrictive, but there are problems worth fixing in your rule anyway: 1) CSP header must be set for "main_frame" instead of "media" and there's no need for "urlFilter", 2) rename "domains" to "initiatorDomains", 3) try adding a semicolon ; before media-src.

[Jeremiah Oluwakoya]

@w0xx0m Your corrections worked, i corrected the rule and it worked, altho i had to change the operation to "remove" because append does not work. Thanks a million.,