Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Security Policy issue #18

Closed
zenzjtech opened this issue Mar 12, 2020 · 3 comments
Closed

Content Security Policy issue #18

zenzjtech opened this issue Mar 12, 2020 · 3 comments

Comments

@zenzjtech
Copy link

zenzjtech commented Mar 12, 2020
edited
Loading

Hello,

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-GgRxrVOKNdB4LrRsVPDSbzvfdV4UqglmviH9GoBJ5jk='". Either the 'unsafe-inline' keyword, a hash ('sha256-N/tHXVVQthcO77tcS7VT2tmLWxdumYi73F87h+hd5s0='), or a nonce ('nonce-...') is required to enable inline execution.

My manifest.json - I tried both hashes: the default one, and the suggested in the error message, but none of them work.

{
  "name": "My Extension",
  "version": "1.0",
  "manifest_version": 2,
  "browser_action": {
    "default_popup": "index.html"
  },
  "content_security_policy": "script-src 'self' 'sha256-N/tHXVVQthcO77tcS7VT2tmLWxdumYi73F87h+hd5s0='; object-src 'self'"
}
@zenzjtech
Copy link
Author

@satendra02 : I forgot to build after updating to the suggested hash. Just rebuild and now it work!

@zenzjtech
Copy link
Author

Is there a away to fix the issue that whenever extension is rebuilt, then a new hash is required for manifest.json?
The extension keep signaling the above error.

@zenzjtech zenzjtech reopened this Mar 12, 2020
@satendra02
Copy link
Owner

satendra02 commented Mar 13, 2020
edited
Loading

Hi @zenzjtech

If you are using any inline script in index.html

The Hash generated in the console will be the same if there is no change in the script block code every time you build.

For more read this article.
https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

You can remove that hash if you are not using any external js in index.html using <script src="..."> tag.

"content_security_policy": "script-src 'self'; object-src 'self'"

If you are using any external script like below inside your index.html. Suppose script resources to be loaded from example.com over HTTPS

<script src="https://example.com/js/library.js"></script>

A relaxed policy definition looks like:

"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

If all the above is not the case then do these steps and let me know if it works.

  1. Create a .env file in the project root
  2. Add variable as follows: INLINE_RUNTIME_CHUNK=false
  3. Build the project again and load the extension again.

I hope it helps!

For more read below for relaxing CSP:

https://developer.chrome.com/extensions/contentSecurityPolicy

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script

@satendra02 satendra02 pinned this issue Mar 27, 2020
@satendra02 satendra02 mentioned this issue Nov 23, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@satendra02 @zenzjtech