Content Security Policy with Chrome Extensions - Getting data via remote URL

Question

I've made a chrome extension with the following line in the manifest.json, so that I can get data via an ajax request.

"content_security_policy": "script-src 'self' http://localhost; object-src 'self'",

I want to test the extension with my live site, so I changed it to:

"content_security_policy": "script-src 'self' http://www.example.com; object-src 'self'",

but now the extension doesn't initialize when I start chrome.

Answer 1

To make cross-origin XHRs, you don't need to care about CSP. What you need to add in the manifest is host permissions for those hosts you need to access. Read https://developer.chrome.com/trunk/extensions/xhr.html for more information.

On the other hand, if your extension loads scripts (<script src="..."></script>) from an external web server, you must be aware of CSP. First, the server hosting the scripts must be HTTPS. Then, whilelist it in CSP as described in https://developer.chrome.com/trunk/extensions/contentSecurityPolicy.html#relaxing-remote-script.

Whitelisting a HTTP origin in 'script-src' is prohibited to prevent man-in-the-middle attacks and other security isuses so that your extension doesn't load.

Answer 2

Have you added permissions, if not then try this, hope it would work

,
 "permissions": [
   "http://www.example.com/*", 
   "tabs"
 ],
"content_scripts": [
  {
    "matches": [
        "http://www.example.com/*"
    ],
    "js": [
        "js/myScript.js"
    ]
  }
]