Firefox Support: CSP issue
412 views
Skip to first unread message
Florian
Aug 10, 2016, 3:45:45 AM8/10/16
to InboxSDK
Now that WebExtensions are officially out, I tried to see how Inbox SDK would play with it.
Would you have any ideas/suggestions how we could bypass this?
Unfortunately, it seems we cannot bypass a strict content-security-policy rule. More particularly, Firefox prevents the loading of the SDK's core script, i.e. https://www.inboxsdk.com/build/platform-implementation.js
Refused to load the script 'https://www.inboxsdk.com/build/platform-implementation.js' because it violates the following Content Security Policy directive: "script-src https://clients4.google.com/insights/consumersurveys/ 'self' 'unsafe-inline' 'unsafe-eval' https://mail.google.com/_/scs/mail-static/ https://hangouts.google.com/ https://talkgadget.google.com/ https://*.talkgadget.google.com/ https://www.googleapis.com/appsmarket/v2/installedApps/ https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/js/ https://www.google.com/tools/feedback/ https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://ssl.google-analytics.com/ https://apis.google.com/_/scs/abc-static/ https://apis.google.com/js/ https://clients1.google.com/complete/ https://apis.google.com/_/scs/apps-static/_/js/ https://ssl.gstatic.com/inputtools/js/ https://ssl.gstatic.com/cloudsearch/static/o/js/ https://www.gstatic.com/feedback/js/ https://www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/".Would you have any ideas/suggestions how we could bypass this?
Note that adding specific content-security rules in the manifest.json file does not change anything.
Florian
Aug 10, 2016, 3:52:19 AM8/10/16
to InboxSDK
For instance, do you think possible to change your Headers > "Access-Control-Allow-Origin" ?
Chris Cowan
Aug 10, 2016, 3:21:23 PM8/10/16
to InboxSDK
The issue doesn't have to do with the CORS header on the file. It has to do with Gmail's Content-Security-Policy header.
I'm confused as to why a "script-src" directive is blocking an AJAX request for platform-implementation.js. Are you adding the script to the page yourself? In inboxsdk.js, we do an AJAX request for that file and then eval the source. If you add it in a script tag into the page, then it can be blocked by the page's CSP, and it gets run in the page world instead of the extension's world.
If you get it to load in Firefox, there will be some issues caused by us depending on a few webkit-specific functions. We can look into those if you get that far.
Florian
Aug 10, 2016, 6:45:21 PM8/10/16
to InboxSDK
Thanks for the reply, Chris.
That's why it makes the loading error so intriguing. We will try to find a way to patch the way inboxsdk.js loads the implementation...
Did not think useful to mention in my first post, but - of course - we use the standard or recommended way of loading the SDK, that is inboxsdk.js and then
InboxSDK.load('1.0', '<ID>').then(function(sdk){ /* ... */ });
Thanks again.
Chris Cowan
Aug 10, 2016, 7:06:03 PM8/10/16
to InboxSDK
Oh, I know what's going on. The inboxsdk.js loader tries to load platform-implementation.js through a script tag if it doesn't think you're in an extension content script. The code to check if you're in an extension content script is specific to Chrome and Safari. As a temporary work-around, you can run `window.chrome = {extension: {}};` before you run inboxsdk.js, and that will convince it you're in an extension content script.
Florian
Aug 11, 2016, 3:05:06 AM8/11/16
to InboxSDK
Thanks, Chris. Indeed, adding window.chrome = {extension:{}} made the loading of the implementation possible!
FYI and as expected, InboxSDK throws a few errors and cannot apply its methods properly in a non-Webkit browser. See below:
Failed to load https://www.inboxsdk.com/api/v2/events/oauth
"i/</c.onerror@https://www.inboxsdk.com/build/platform-implementation.js:87:10192"
ERROR REPORTING ERROR TypeError: r.__inboxsdk_extensionSeenErrors.has is not a functionStack trace:[541]</</S</<.has@https://www.inboxsdk.com/build/platform-implementation.js:87:17416[724]</</le</<.value@https://www.inboxsdk.com/build/platform-implementation.js:102:12818[222]</t.exports/l@https://www.inboxsdk.com/build/platform-implementation.js:30:21775platform-implementation.js:87:16801u()platform-implementation.js:87o()platform-implementation.js:87u()platform-implementation.js:102[724]</</le</<.value()platform-implementation.js:102[724]</</</<()platform-implementation.js:102[275]</T/</a()platform-implementation.js:31[275]</T/<()platform-implementation.js:31[222]</t.exports/l()platform-implementation.js:30
ORIGINAL ERROR Arguments { , 6 more… }platform-implementation.js:87:16842u()platform-implementation.js:87o()platform-implementation.js:87u()platform-implementation.js:102[724]</</le</<.value()platform-implementation.js:102[724]</</</<()platform-implementation.js:102[275]</T/</a()platform-implementation.js:31[275]</T/<()platform-implementation.js:31[222]</t.exports/l()platform-implementation.js:30
ERROR REPORTING ERROR TypeError: r.__inboxsdk_extensionSeenErrors.has is not a functionStack trace:[541]</</S</<.has@https://www.inboxsdk.com/build/platform-implementation.js:87:17416[724]</</le</<.value@https://www.inboxsdk.com/build/platform-implementation.js:102:12818[222]</t.exports/l@https://www.inboxsdk.com/build/platform-implementation.js:30:21775platform-implementation.js:87:16801
ORIGINAL ERROR Arguments { , 6 more… }platform-implementation.js:87:16842
Reply all
Reply to author
Forward
0 new messages