CSP issue with 3.1 in Chrome extension background context
See original GitHub issueRan into an issue with the latest release today. In a chrome extension context eval of any form is not allowed by default. This causes a problem with how you find the global object.
The offending line of code is here
var global = Function("return this")();
There is a way to relax this constraint but I would rather not expose my extension to XSS attacks. For now 3.0 works fine for my needs, but it would be nice to get updates in the future. Would it be possible to replace these assignments with your webpack build process for each environment? So the web version would have var global = window;
and var global = self;
in web worker etc.
Issue Analytics
- State:
- Created 7 years ago
- Reactions:4
- Comments:16 (8 by maintainers)
Top Results From Across the Web
Working around Content Security Policy issues in Chrome ...
Content Security Policy can block injected scripts from Chrome Extensions from making Ajax calls, this article discussed how to get around ...
Read more >Chrome Extension "Refused to load the script because it ...
Google Chrome has CSP (Content Security Policy), which means chrome extensions don't allow the external script. If you are using the vue cdn ......
Read more >Re: [crx] CSP and context menus - Google Groups
I have some background page code that uses XHR for cross site access. It works when called from an extension page. I tried...
Read more >List of everything a Chrome Extension can do(and what it ...
List of everything a Chrome Extension can do(and what it needs to do so). Chrome Extensions are nothing but websites (HTML, CSS and...
Read more >Content Security Policy Level 3 - W3C
3.1 The Content-Security-Policy HTTP Response Header Field ... Extensions to CSP MUST register themselves via the process outlined in ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
https://github.com/pusher/pusher-js/pull/188/commits/368d65cc2b3b66edd441ecf476f2c5831b3769a8
this should rectify this. I’ll get out a patch asap
seems like this problem is back on version 3.2.4
Refused to load the script 'https://timeline47-clientstats1.pusher.com/timeline/v2/jsonp/2?session=MTU1ODk5NzI5&bundle=Mg%3D%3D&key=MmFkZWQ0Y2M0Mjg4Mjg4MWQ5ZDg%3D&lib=anM%3D&version=My4yLjQ%3D&features=WyJ3cyJd&timeline=huge_hash_removed' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com https://www.gstatic.com https://www.google-analytics.com https://*.pendo.io https://stats.pusher.com https://cdn.embedly.com https://fast.wistia.net https://pendo-static-xxxxx.storage.googleapis.com https://timeline45-clientstats1.pusher.com https://js.intercomcdn.com https://widget.intercom.io". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
is there any fix coming up?