设置为*时,Chrome扩展程序Content-Security-Policy引发错误 [英] Chrome Extension Content-Security-Policy throwing errors, while it's set on *
问题描述
我已经在manifest.json中尝试了CSP设置的所有可能设置,这是我的当前设置(我知道它非常开放和不安全).
I've tried all possible setups for the CSP settings in my manifest.json, this is my current (very open and unsafe, I know).
当我打开扩展程序的后台检查时,重新加载后的第一次很好,有时直到第五次,然后突然出现下面的错误.
When I open the background inspect for the extension, the first time after reloading it's fine, sometimes up until the fifth time, and then all of a sudden the errors below start pouring in..
"content_security_policy": "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';"
仍然出现以下错误
Refused to load the script 'https://myapp-12345.firebaseio.com/.lp?start=t&ser=1234567&cb=15&v=5' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
我尝试过的
- 当我更改manifest.json时删除chrome扩展名
有什么我想念的吗?
推荐答案
您只能在一定程度上放宽Chrome扩展程序中的CSP
Chrome扩展程序清单中的 "content_security_policy"
条目允许开发人员仅在一定程度上放宽CSP. style-src
所允许的值子集非常有限,引用来自官方文档:
You can only relax CSP in Chrome extensions to a certain extent
"content_security_policy"
entry in Chrome Extension manifest allows developers to relax the CSP to a certain extent only. The subset of values allowed for style-src
is very limited, quote from the official documentation:
当前,开发人员可以通过以下方式允许列出来源方案:blob,文件系统,https和chrome-extension .主机部分必须为https明确指定来源的chrome扩展方案.通用通配符,例如https:,https://*和https://*.com不允许;...
Currently, developers can allowlist origins with the following schemes: blob, filesystem, https, and chrome-extension. The host part of the origin must explicitly be specified for the https and chrome-extension schemes. Generic wildcards such as https:, https://* and https://*.com are not allowed; ...
您的CSP中指定的许多值(例如 script-src
的 *
和'unsafe-inline'
)无效"content_security_policy"
中,Chrome在解析 manifest.json
时会忽略它们(带有警告).
Many of the values specified in your CSP (eg. *
and 'unsafe-inline'
for script-src
) are not valid in "content_security_policy"
and Chrome ignores them (with a warning) when parsing manifest.json
.
我怀疑您可能正在后台页面的JavaScript控制台中检查错误.您需要首先检查为 manifest.json
生成的错误和警告.转到 chrome://extensions/
,然后点击扩展程序的错误按钮.会有这样的警告:
I suspect that you might be checking errors in JavaScript console of the background page. You need to check the errors and warnings generated for your manifest.json
first. Go to chrome://extensions/
and click on the Errors button for your extension. There will be several warnings such as this:
content_security_policy':忽略指令中不安全的CSP值"*"'script-src'.
content_security_policy': Ignored insecure CSP value "*" in directive 'script-src'.
修改:我只是注意到错误"页面( chrome://extensions/?errors =< extension-id>
)的行为不一致.似乎存在一个错误,导致仅在重新加载扩展程序后才会显示有关被忽略的CSP值的警告.
I just noticed that the Errors page (chrome://extensions/?errors=<extension-id>
) behaves inconsistently. There seems to be a bug that causes the warnings about ignored CSP values to only show up after reloading the extension.
"content_security_policy"
在Chrome中
"content_security_policy"
in Chrome
"content_security_policy"
在Firefox中
(规范基本上是相同的,但我发现有关MDN的文档更好,也更容易遵循.)
"content_security_policy"
in Firefox
(The specification is basically identical but I find the documentation on MDN nicer and easier to follow.)
这篇关于设置为*时,Chrome扩展程序Content-Security-Policy引发错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!