设置为*时，Chrome扩展程序Content-Security-Policy引发错误 [英] Chrome Extension Content-Security-Policy throwing errors, while it's set on *

问题描述

我已经在manifest.json中尝试了CSP设置的所有可能设置，这是我的当前设置(我知道它非常开放和不安全).

I've tried all possible setups for the CSP settings in my manifest.json, this is my current (very open and unsafe, I know).

当我打开扩展程序的后台检查时，重新加载后的第一次很好，有时直到第五次，然后突然出现下面的错误.

When I open the background inspect for the extension, the first time after reloading it's fine, sometimes up until the fifth time, and then all of a sudden the errors below start pouring in..

"content_security_policy": "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';"

仍然出现以下错误

拒绝加载脚本'

Refused to load the script 'https://myapp-12345.firebaseio.com/.lp?start=t&ser=1234567&cb=15&v=5' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

我尝试过的

• 当我更改manifest.json时删除chrome扩展名

有什么我想念的吗?

推荐答案

您只能在一定程度上放宽Chrome扩展程序中的CSP

Chrome扩展程序清单中的

"content_security_policy" 条目允许开发人员仅在一定程度上放宽CSP. style-src 所允许的值子集非常有限，引用来自官方文档:

You can only relax CSP in Chrome extensions to a certain extent

"content_security_policy" entry in Chrome Extension manifest allows developers to relax the CSP to a certain extent only. The subset of values allowed for style-src is very limited, quote from the official documentation:

当前，开发人员可以通过以下方式允许列出来源方案:blob，文件系统，https和chrome-extension .主机部分必须为https明确指定来源的chrome扩展方案.通用通配符，例如https:，https://*和https://*.com不允许；...

Currently, developers can allowlist origins with the following schemes: blob, filesystem, https, and chrome-extension. The host part of the origin must explicitly be specified for the https and chrome-extension schemes. Generic wildcards such as https:, https://* and https://*.com are not allowed; ...

您的CSP中指定的许多值(例如 script-src 的 * 和'unsafe-inline')无效"content_security_policy" 中，Chrome在解析 manifest.json 时会忽略它们(带有警告).

Many of the values specified in your CSP (eg. * and 'unsafe-inline' for script-src) are not valid in "content_security_policy" and Chrome ignores them (with a warning) when parsing manifest.json.

我怀疑您可能正在后台页面的JavaScript控制台中检查错误.您需要首先检查为 manifest.json 生成的错误和警告.转到 chrome://extensions/，然后点击扩展程序的错误按钮.会有这样的警告:

I suspect that you might be checking errors in JavaScript console of the background page. You need to check the errors and warnings generated for your manifest.json first. Go to chrome://extensions/ and click on the Errors button for your extension. There will be several warnings such as this:

content_security_policy':忽略指令中不安全的CSP值"*"'script-src'.

content_security_policy': Ignored insecure CSP value "*" in directive 'script-src'.

修改:我只是注意到错误"页面( chrome://extensions/?errors =< extension-id> )的行为不一致.似乎存在一个错误，导致仅在重新加载扩展程序后才会显示有关被忽略的CSP值的警告.

I just noticed that the Errors page (chrome://extensions/?errors=<extension-id>) behaves inconsistently. There seems to be a bug that causes the warnings about ignored CSP values to only show up after reloading the extension.

"content_security_policy" 在Chrome中

"content_security_policy" in Chrome

"content_security_policy"在Firefox中
(规范基本上是相同的，但我发现有关MDN的文档更好，也更容易遵循.)

"content_security_policy" in Firefox
(The specification is basically identical but I find the documentation on MDN nicer and easier to follow.)

这篇关于设置为*时，Chrome扩展程序Content-Security-Policy引发错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！