info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
CSP errors for browser_action pop-up in spite of correct CSP header
20 views
Skip to first unread message
afo...@gmail.com
Jun 16, 2016, 10:58:57 PM6/16/16
to
I need to dynamically update content on my browser_action pop-up, so I am testing with the code below, which works fine in a regular page on the server but not in the browser_action page in the addon. I keep getting error: Content Security Policy: The page's settings blocked the loading of a resource at self
I have tried every conceivable type of Content-Security-Policy I could think of. The one below has 4 different values for default-src but I also tried them one-by-one.
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-inline' 'unsafe-eval'">
</head>
<body>
<div id="mainText">
Hello I am action1
</div>
<script type="text/javascript">
document.getElementById("mainText").innerHTML+= "new content"
</script>
</body>
</html>
I have tried every conceivable type of Content-Security-Policy I could think of. The one below has 4 different values for default-src but I also tried them one-by-one.
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-inline' 'unsafe-eval'">
</head>
<body>
<div id="mainText">
Hello I am action1
</div>
<script type="text/javascript">
document.getElementById("mainText").innerHTML+= "new content"
</script>
</body>
</html>
Andrew McKay
Jun 17, 2016, 4:16:03 AM6/17/16
to afo...@gmail.com, dev-ext...@lists.mozilla.org
Assuming that this is a WebExtension, have you tried changing the CSP
in the manifest.json?
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/content_security_policy
> _______________________________________________
> dev-extensions mailing list
> dev-ext...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-extensions
in the manifest.json?
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/content_security_policy
> dev-extensions mailing list
> dev-ext...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-extensions
afo...@gmail.com
Jun 17, 2016, 10:34:41 AM6/17/16
to
On Friday, June 17, 2016 at 3:16:03 AM UTC-5, Andrew McKay wrote:
> Assuming that this is a WebExtension, have you tried changing the CSP
> in the manifest.json?
>
> https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/content_security_policy
It is a WebExtension ... and no I hadn't tried adjusting the manifest.json.
> Assuming that this is a WebExtension, have you tried changing the CSP
> in the manifest.json?
>
> https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/content_security_policy
I did that and I still get the same error. I tried:
"content_security_policy": "script-src 'self'; object-src 'self'",
"content_security_policy": "default-src *; script-src *; object-src *",
"content_security_policy": "default-src * 'self' 'unsafe-inline' 'unsafe-eval'; script-src *; object-src *",
"content_security_policy": "default-src * 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self'; object-src 'self'",
0 new messages