Issues with Chrome Extension CSP and Inline Scripts

[Adam Bender]

I am trying to build a chrome extension using dart and have run into trouble with the Content Security Policy (CSP). Using the example attached I receive the following error:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".

This seems to be related to the use of jsInterop (which I assume is trying to execute inline scripts), as when I remove the js.scoped(...) the error goes away. Apparently, chrome doesn't allow relaxing of the inline script CSP provision in anyway. Unfortunately, not all of the chrome.* apis have been implemented by dart:chrome and I needed to reach out to some others via jsInterop. 

Has anyone else run into this issue? Or have any idea how I might got about dealing with it?

btw I am already building with --disallow-unsafe-eval.

[John Messerly]

Does it work if you add a <script src="packages/js/dart_interop.js"> ?

(https://github.com/dart-lang/js-interop/blob/master/lib/dart_interop.js)

JS interop will try to inject a script, but only if it's not there already:

https://github.com/dart-lang/js-interop/blob/master/lib/js.dart#L688

--
Consider asking HOWTO questions at Stack Overflow: http://stackoverflow.com/tags/dart
 
 

[Adam Bender]

So adding the direct reference I ran into another error, and the other errors still exist:

Uncaught ReferenceError: ReceivePortSync is not defined

Which I can find a reference to in the generated bootstrap file, so this is probably the result of the compilation process mangling name spaces. Is there anyway I can get the jsinterop included in the compile so that I have everything I need in one js bundle?

[Vijay Menon]

This is usually a sign of scripts not run or running out of order.  You will need both:

    <script src="packages/browser/dart.js"></script>

    <script src="packages/js/dart_interop.js"></script>

in that order, I think.  ReceivePortSync is defined in dart.js.

Cheers,

Vijay

--

[Adam Bender]

Infact this was the problem, however it was made slightly less obvious because the default project template for a chrome extension doesnt actually include a reference to pacakges/browser/dart.js by default. Perhaps that is by design but I didnt even realize it was missing, would it make sense to add this script in for a default extension, which presumably is going to be running in the browser?

[Devon Carew]

Infact this was the problem, however it was made slightly less obvious because the default project template for a chrome extension doesnt actually include a reference to pacakges/browser/dart.js by default. Perhaps that is by design but I didnt even realize it was missing, would it make sense to add this script in for a default extension, which presumably is going to be running in the browser?

We omitted it originally because we didn't need the script auto-selection behavior - to run dart code or js code depending on the browser - since for chrome apps we're always compiling to javascript.

I'll add some commented out references to dart.js and dart_interop.js in the sample. We're not doing JS interop in that sample, but this seems like a common issue that people are running into (having to in-line dart_interop.js, and including them in the right order). So leading them down the happy path would be best.

-- 
Consider asking HOWTO questions at Stack Overflow: http://stackoverflow.com/tags/dart
 
 

--
Devon Carew

Software Engineer

Google, Inc.

[John Messerly]

Good call. It would probably be a good idea to add js interop too. Do you mind opening a bug for it? :)

On Apr 18, 2013 10:05 AM, "Adam Bender" <adamb...@gmail.com> wrote:

Infact this was the problem, however it was made slightly less obvious because the default project template for a chrome extension doesnt actually include a reference to pacakges/browser/dart.js by default. Perhaps that is by design but I didnt even realize it was missing, would it make sense to add this script in for a default extension, which presumably is going to be running in the browser?

[Ross Smith]

> since for chrome apps we're always compiling to javascript.

Why is that?  I've been using chrome apps in Dartium with dart scripts for quite some time now.  Of course I know I can't deploy anything like that but I can't deploy a web app like that right now either :)   

[Devon Carew]

> since for chrome apps we're always compiling to javascript.

Why is that?  I've been using chrome apps in Dartium with dart scripts for quite some time now.  Of course I know I can't deploy anything like that but I can't deploy a web app like that right now either :) 

The dart:chrome library is only available to dart2js and not to Dartium. It has direct javascript bindings  (not using the JS interop library) and no dart ones. That library only exposes a very tiny bit of the chrome app APIs however; personally, I'm using JS interop now to call the chrome APIs that I use. I get access to all the APIs and it lets me run the Dart portion of the code natively.

I have no idea whether the best path forward would be to complete the dart:chrome library or to write a wrapper library that just uses JS interop. For the moment however that sample uses the dart:chrome library.

On Thursday, April 18, 2013 10:44:24 AM UTC-7, Devon Carew wrote:

Infact this was the problem, however it was made slightly less obvious because the default project template for a chrome extension doesnt actually include a reference to pacakges/browser/dart.js by default. Perhaps that is by design but I didnt even realize it was missing, would it make sense to add this script in for a default extension, which presumably is going to be running in the browser?

We omitted it originally because we didn't need the script auto-selection behavior - to run dart code or js code depending on the browser - since for chrome apps we're always compiling to javascript.

I'll add some commented out references to dart.js and dart_interop.js in the sample. We're not doing JS interop in that sample, but this seems like a common issue that people are running into (having to in-line dart_interop.js, and including them in the right order). So leading them down the happy path would be best.

-- 
Consider asking HOWTO questions at Stack Overflow: http://stackoverflow.com/tags/dart
 
 

--
Devon Carew

Software Engineer

Google, Inc.

--
Consider asking HOWTO questions at Stack Overflow: http://stackoverflow.com/tags/dart
 
 

[Ross Smith]

> The dart:chrome library is only available to dart2js and not to Dartium. It has direct javascript bindings  (not using the JS interop library) and no dart ones. That library only exposes a very tiny bit of the chrome app APIs however; 

Oh, interesting.  I haven't actually used the dart:chrome library - but that was because I think the generated? API looks atrocious.

> personally, I'm using JS interop now to call the chrome APIs that I use. I get access to all the APIs and it lets me run the Dart portion of the code natively.

Yeah, I'm basically doing the same.  I bootstrap with js and then my html windows load dart scripts.  I use js-interop to talk to the chrome APIs that I need.

> For the moment however that sample uses the dart:chrome library.

Ok, I didn't realize all that.  It makes me kind of sad I guess, since many developers might not realize how awesome it is writing chrome apps in Dart.  

cheers

[adam]

I'd like to play with dart:chrome more, possible we can now generate the rest of the apis? Right now only "app_window.idl" and "app_runtime.idl" seem to be supported. 
 https://code.google.com/p/dart/source/browse/branches/bleeding_edge/dart/tools/dom/scripts/chromegenerator.py

[Nelson Silva]

Any news on this ? 

I just found https://codereview.chromium.org/12316032/ but it did not get merged yet....

[Kevin Moore]

Sasha was an intern (I think). So it's possible this has been orphaned.

I have a bug open on chrome.* storage: https://code.google.com/p/dart/issues/detail?id=9923

--

[Ben Wells]

This is still being worked on, but it has definitely slowed down. We're focusing on testing the framework.