Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CSP issue with 3.1 in Chrome extension background context

See original GitHub issue

Ran into an issue with the latest release today. In a chrome extension context eval of any form is not allowed by default. This causes a problem with how you find the global object.

The offending line of code is here

var global = Function("return this")();

There is a way to relax this constraint but I would rather not expose my extension to XSS attacks. For now 3.0 works fine for my needs, but it would be nice to get updates in the future. Would it be possible to replace these assignments with your webpack build process for each environment? So the web version would have var global = window; and var global = self; in web worker etc.

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Reactions:4
  • Comments:16 (8 by maintainers)

github_iconTop GitHub Comments

1reaction
jpatel531commented, Aug 2, 2016
0reactions
augustoclarocommented, Jan 17, 2019

seems like this problem is back on version 3.2.4

Refused to load the script 'https://timeline47-clientstats1.pusher.com/timeline/v2/jsonp/2?session=MTU1ODk5NzI5&bundle=Mg%3D%3D&key=MmFkZWQ0Y2M0Mjg4Mjg4MWQ5ZDg%3D&lib=anM%3D&version=My4yLjQ%3D&features=WyJ3cyJd&timeline=huge_hash_removed' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com https://www.gstatic.com https://www.google-analytics.com https://*.pendo.io https://stats.pusher.com https://cdn.embedly.com https://fast.wistia.net https://pendo-static-xxxxx.storage.googleapis.com https://timeline45-clientstats1.pusher.com https://js.intercomcdn.com https://widget.intercom.io". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. is there any fix coming up?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Working around Content Security Policy issues in Chrome ...
Content Security Policy can block injected scripts from Chrome Extensions from making Ajax calls, this article discussed how to get around ...
Read more >
Chrome Extension "Refused to load the script because it ...
Google Chrome has CSP (Content Security Policy), which means chrome extensions don't allow the external script. If you are using the vue cdn ......
Read more >
Re: [crx] CSP and context menus - Google Groups
I have some background page code that uses XHR for cross site access. It works when called from an extension page. I tried...
Read more >
List of everything a Chrome Extension can do(and what it ...
List of everything a Chrome Extension can do(and what it needs to do so). Chrome Extensions are nothing but websites (HTML, CSS and...
Read more >
Content Security Policy Level 3 - W3C
3.1 The Content-Security-Policy HTTP Response Header Field ... Extensions to CSP MUST register themselves via the process outlined in ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

"window is not defined" error when using webpack + pusher-js + react

Next page

React Native Import Error