科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - how to fix 'Chrome Content Security Policy Directive' in chrome extension - Stack Overflow

    javascript - how to fix 'Chrome Content Security Policy Directive' in chrome extension - Stack Overflow

    programmeradmin1浏览0评论

    I'm making a chrome extension that hits Wikipedia's API through an ajax call using JQuery. I have included a copy of JQuery in my extension's local js folder. in the popup I have an input and I take that value and do a get request in the popup.js and I get a "Refused to load the script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."

    I have WebRequest and <all_urls> set in the permissions in manifest.json file. This is what my permissions look like in the manifest: 

    "permissions": [
    "tabs",
    "webNavigation",
    "webRequest",
    "<all_urls>",
    "/*"
  ],

    I saw that adding a "content_security_policy": "script-src-elem 'self' /" would make it easier on it but that didn't solve the problem. 

    $('#urlCopyButton').click(function search() {
    var searchWord = document.querySelector('#searchWord').value;
    console.log(searchWord);
    var results = [];


$.ajax({
          crossDomain: true,
          header: 'Access-Control-Allow-Origin',
          url:`.php?action=opensearch&format=json&maxlag=5&search=${searchWord}&callback=?`,
          type: 'GET',
          dataType: 'json',
          beforeSend: function(xhr){xhr.setRequestHeader('', '');},
          success: (data) => {
              $("#output").html("");
            var i =0;
            for (var i = 0; i < data[1].length; i++) {
              $("#output").append(`<li><a href= "${data[3][i]  } ">${data[1][i] + " " + data[2][i]}<a></li>`);
            }
            console.log(data);
          },
          error: (err) =>{
            console.log(err.responseJSON);
          }


      })

    })

    I expect it to be a success and the data to so up in the console but it doesn't it throws this error:

    Refused to load the script '.php?action=opensearch&format=json&maxlag=5&search=dfa&callback=jQuery33108394586597996985_1549655186216&_=1549655186217' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

    send @ jquery.js:2"

    I'm making a chrome extension that hits Wikipedia's API through an ajax call using JQuery. I have included a copy of JQuery in my extension's local js folder. in the popup I have an input and I take that value and do a get request in the popup.js and I get a "Refused to load the script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."

    I have WebRequest and <all_urls> set in the permissions in manifest.json file. This is what my permissions look like in the manifest: 

    "permissions": [
    "tabs",
    "webNavigation",
    "webRequest",
    "<all_urls>",
    "https://en.wikipedia/*"
  ],

    I saw that adding a "content_security_policy": "script-src-elem 'self' https://www.wikipedia/" would make it easier on it but that didn't solve the problem. 

    $('#urlCopyButton').click(function search() {
    var searchWord = document.querySelector('#searchWord').value;
    console.log(searchWord);
    var results = [];


$.ajax({
          crossDomain: true,
          header: 'Access-Control-Allow-Origin',
          url:`https://en.wikipedia/w/api.php?action=opensearch&format=json&maxlag=5&search=${searchWord}&callback=?`,
          type: 'GET',
          dataType: 'json',
          beforeSend: function(xhr){xhr.setRequestHeader('https://en.wikipedia', 'https://en.wikipedia');},
          success: (data) => {
              $("#output").html("");
            var i =0;
            for (var i = 0; i < data[1].length; i++) {
              $("#output").append(`<li><a href= "${data[3][i]  } ">${data[1][i] + " " + data[2][i]}<a></li>`);
            }
            console.log(data);
          },
          error: (err) =>{
            console.log(err.responseJSON);
          }


      })

    })

    I expect it to be a success and the data to so up in the console but it doesn't it throws this error:

    Refused to load the script 'https://en.wikipedia/w/api.php?action=opensearch&format=json&maxlag=5&search=dfa&callback=jQuery33108394586597996985_1549655186216&_=1549655186217' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

    send @ jquery.js:2"

    • javascript
    • jquery
    • ajax
    • google-chrome
    • google-chrome-extension
    Share Improve this question edited Dec 28, 2019 at 22:28 Soviut 91.9k53 gold badges209 silver badges283 bronze badges asked Feb 8, 2019 at 19:51 Drew GilliesDrew Gillies 532 gold badges4 silver badges10 bronze badges 11
    • I can post a link to a github repo with all my code if you need me to – Drew Gillies Commented Feb 8, 2019 at 23:16
    • See the documentation: simply declare the site in ”permissions” field and don't use CORS headers in the request. No need to modify CSP either. – woxxom Commented Feb 9, 2019 at 4:26
    • I've already got it in the permissions: "permissions": [ "tabs", "webNavigation", "webRequest", "<all_urls>", " en.wikipedia* " ], – Drew Gillies Commented Feb 9, 2019 at 13:40
    • I removed the CORS headers from the ajax call and CSP from the manifset.json. It still is an error: Refused to load the script 'en.wikipedia/w/…' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.. however, when i click on the link it takes me to what I expected to get back. – Drew Gillies Commented Feb 9, 2019 at 13:49
    • so is there a way to let Chrome be okay with the script? – Drew Gillies Commented Feb 9, 2019 at 13:53
     |  Show 6 more ments

    1 Answer 1

    Reset to default 2

    Wikipedia's callback=? parameter is an ancient hack to load dataType: 'json' as a script, which is forbidden by default CSP in extensions. While many existing answers suggest relaxing the default extension CSP, it's obviously a bad solution that opens the extension to various remote attacks (like MitM).

    Simply remove &callback=? parameter so that wikipedia returns a valid JSON by default.

    No need for CORS-related tweaks like headers or crossDomain: true, no need to modify CSP.

    $.ajax({
  url: 'https://en.wikipedia/w/api.php?' +
       'action=opensearch&format=json&maxlag=5&search=' + encodeURIComponent(searchWord),
  success(data) {
    // ...............
    // data is an object/array, you can process it directly here
    // ...............
  },
});

    manifest.json should allow the URL:

    • "permissions": ["https://*.wikipedia/"]
    • "permissions": ["<all_urls>"]

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论