Re: [crx] Content security policy to allow only my Chrome extension

[Patrick Kettner]

frame-ancestors would be the relevant directive for this. You would set your extension's origin  (i.e. chrome-extension://hash) as the host in the rule

On Thu, Sep 28, 2023 at 3:08 PM Vince Scafaria <vi...@positivesum.net> wrote:

Most discussions of CSP and Chrome extensions focus on allowing the extension to get around the CSP of known domains. I have a slightly different challenge. We publish a web application that enterprises deploy to their own custom domains (so the domain can't be specified in the manifest). i.e. We control the web app code and the Chrome extension code, but not the web app domain URL.

Today, our Chrome extension content script is invoked at certain well-known sites like linkedin (per the manifest). When it does, it injects an iFrame that frames in the web application (so that the web app can be experienced as a frame while sitting in the 3rd party page like LinkedIn). This works great without a CSP on the web app site. 

LinkedIn -> Chrome extension content script -> frame holds the web app.

Are there headers I could apply to the web app that will allow framing only by our Chrome extension (or second best, only by Chrome extensions in general)? I'm somewhat new to CSPs; not sure whether "object-src" might point in the right direction? 

Right now I do the following and need to improve on it for our use case as outlined. Thank you!

context.Response.Headers.Add("x-frame-options", "DENY");

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/942f7032-f2a2-4628-ad00-1bc2261affc3n%40chromium.org.