Issue With Content Security Policy in Chrome Extension

StackOverflow https://stackoverflow.com/questions/23198707

Question

This is from my chrome extension.

"permissions": [
"storage",
"https://app.socialschools.nl/*",
"http://*.google.com/", // Refer to http://goo.gl/CPeqK http://goo.gl/U3Vev
"bookmarks", // http://code.google.com/chrome/extensions/bookmarks.html
"chrome://favicon/",
"clipboardRead", // document.execCommand('paste').
"clipboardWrite", // document.execCommand('copy' OR 'cut')
"contextMenus", //http:///code.google.com/chrome/extensions/contextMenus.html
"cookies", // http://code.google.com/chrome/extensions/cookies.html
// "experimental", // http://code.google.com/chrome/extensions/dev/experimental.html
"fileBrowserHandler", // http://goo.gl/GqbrP
"geolocation", // http://dev.w3.org/geo/api/spec-source.html
"history", // http://code.google.com/chrome/extensions/history.html
"idle", // http://code.google.com/chrome/extensions/idle.html
"management", // http://code.google.com/chrome/extensions/management.html
"notifications", // code.google.com/chrome/extensions/notifications.html
"tabs", // http://code.google.com/chrome/extensions/tabs.html +windows.html
"tts", // http://code.google.com/chrome/extensions/tts.html
"ttsEngine", // http://code.google.com/chrome/extensions/ttsEngine.html
"unlimitedStorage"
],

"content_security_policy":"script-src 'unsafe-eval' https://apps.socialschools.nl/;object-src 'self';connect-src https://app.socialschools.nl/",

I have added the API url (https://app.socialschools.nl) in both script-src, permissions and connect-src. Still, I get this error:

Refused to load the script 'https://app.socialschools.nl/apiv1/public/924/post/?callback=jQuery16200253…109_1398087409246&only_descendants=false&number_of_items=5&_=1398087409299' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' https://apps.socialschools.nl/".

I can't seem to understand what I am missing here? Can someone please help me out in figuring out this issue.

Thanks in advance.

Was it helpful?

Solution

I found out that the API doesn't support HTTPS yet and CSP's script-src requires HTTPS for external sources. Hence there were the issues with Content Security Policy.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top