拒绝连接到[url]，因为它违反了以下内容安全策略指令 [英] Refused to connect to [url] because it violates the following Content Security Policy directive

问题描述

我是Chrome扩展程序的作者，允许在Facebook上翻译状态更新和评论： https://chrome.google.com/webstore/detail/facebook-translate/plofenifjagmdikfcobngnfmmnfmphin

几天以来，我的用户和我在错误控制台中得到了一个错误：

拒绝连接到' https://api.microsofttranslator.com/V2/Http.svc/Translate?appId=&text=Chrome-Integration%3A+Google+bringt+Google+Now+auf+Desktop-PCs&to= en& contentType = text％2Fhtml ，因为它违反了以下内容安全策略指令：connect-src https：// .facebook.com http：// .facebook.com https：// .fbcdn.net http：// .fbcdn.net * .facebook.net .spotilocal.com： https： //.akamaihd.net ws：// .facebook.com：* http：//*.akamaihd.net。

在我的Chrome扩展中，我确实设置了内容安全策略如下：
$ b

content_security_policy：script- src'self' https://ssl.google-analytics.com ; object-src'self'

然而，错误控制台中的URI仅仅是FB URI，所以我就这么想Facebook确实更新了他们的网站以限制对远程URI的访问，但我不确定这是否是一个Chrome问题，如果我在错误的计算器网络上启动了话题，那么很抱歉：

任何人都可以证实（也许指出我可能的解决方案）这个问题？谢谢大家！

当内容脚本执行XMLHTTPRequest时，扩展应绕过页面的内容安全策略，它们当前不是，这是一个错误，我已经提交了 https://bugs.webkit.org/show_bug.cgi?id=104480 查看修复它。

你是从你的扩展的内容脚本执行XHR，还是在后台页面执行它？后者应该立即工作。

I am the author of a Chrome extension that allows to translate status updates and comments right on Facebook: https://chrome.google.com/webstore/detail/facebook-translate/plofenifjagmdikfcobngnfmmnfmphin

For some days now, my users and me are getting an error in the error console that sais:

Refused to connect to 'https://api.microsofttranslator.com/V2/Http.svc/Translate?appId=&text=Chrome-Integration%3A+Google+bringt+Google+Now+auf+Desktop-PCs&to=en&contentType=text%2Fhtml' because it violates the following Content Security Policy directive: "connect-src https://.facebook.com http://.facebook.com https://.fbcdn.net http://.fbcdn.net *.facebook.net .spotilocal.com: https://.akamaihd.net ws://.facebook.com:* http://*.akamaihd.net".

In my chrome extension I did set the content security policy as follow:

"content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'"

The URIs in the error console, however, are FB URIs only so that's why I'm thinking Facebook did update their site to restrict access to remote URIs. I'm not certain if it could be a Chrome issue, so sorry if I started the topic on the wrong stackoverflow network. :)

Can anyone confirm (and maybe point me to a possible solution for) this issue? Thanks everyone!

解决方案

Extensions should bypass a page's Content Security Policy when executing XMLHTTPRequest from a content script. They currently aren't, which is a bug. I've filed https://bugs.webkit.org/show_bug.cgi?id=104480 to take a look at fixing it.

Are you executing XHR from your extension's content script, or are you executing it in the background page? The latter should work right now.

这篇关于拒绝连接到[url]，因为它违反了以下内容安全策略指令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！