how to fix 'Chrome Content Security Policy Directive' in chrome extension

4
votes

I'm making a chrome extension that hits Wikipedia's API through an ajax call using JQuery. I have included a copy of JQuery in my extension's local js folder. in the popup I have an input and I take that value and do a get request in the popup.js and I get a "Refused to load the script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."

I have WebRequest and <all_urls> set in the permissions in manifest.json file. This is what my permissions look like in the manifest: 

"permissions": [
    "tabs",
    "webNavigation",
    "webRequest",
    "<all_urls>",
    "https://en.wikipedia.org/*"
  ],

I saw that adding a "content_security_policy": "script-src-elem 'self' https://www.wikipedia.org/" would make it easier on it but that didn't solve the problem. 

$('#urlCopyButton').click(function search() {
    var searchWord = document.querySelector('#searchWord').value;
    console.log(searchWord);
    var results = [];


$.ajax({
          crossDomain: true,
          header: 'Access-Control-Allow-Origin',
          url:`https://en.wikipedia.org/w/api.php?action=opensearch&format=json&maxlag=5&search=${searchWord}&callback=?`,
          type: 'GET',
          dataType: 'json',
          beforeSend: function(xhr){xhr.setRequestHeader('https://en.wikipedia.org', 'https://en.wikipedia.org');},
          success: (data) => {
              $("#output").html("");
            var i =0;
            for (var i = 0; i < data[1].length; i++) {
              $("#output").append(`<li><a href= "${data[3][i]  } ">${data[1][i] + " " + data[2][i]}<a></li>`);
            }
            console.log(data);
          },
          error: (err) =>{
            console.log(err.responseJSON);
          }


      })

})

I expect it to be a success and the data to so up in the console but it doesn't it throws this error:

Refused to load the script 'https://en.wikipedia.org/w/api.php?action=opensearch&format=json&maxlag=5&search=dfa&callback=jQuery33108394586597996985_1549655186216&_=1549655186217' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

send @ jquery.js:2"

1
javascriptjqueryajaxgoogle-chromegoogle-chrome-extension
I can post a link to a github repo with all my code if you need me to - Drew Gillies
See the documentation: simply declare the site in ”permissions” field and don't use CORS headers in the request. No need to modify CSP either. - wOxxOm
I've already got it in the permissions: "permissions": [ "tabs", "webNavigation", "webRequest", "<all_urls>", " en.wikipedia.org* " ], - Drew Gillies
I removed the CORS headers from the ajax call and CSP from the manifset.json. It still is an error: Refused to load the script 'en.wikipedia.org/w/…' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.. however, when i click on the link it takes me to what I expected to get back. - Drew Gillies
so is there a way to let Chrome be okay with the script? - Drew Gillies

1 Answers

2
votes

Wikipedia's callback=? parameter is an ancient hack to load dataType: 'json' as a script, which is forbidden by default CSP in extensions. While many existing answers suggest relaxing the default extension CSP, it's obviously a bad solution that opens the extension to various remote attacks (like MitM).

Simply remove &callback=? parameter so that wikipedia returns a valid JSON by default.

No need for CORS-related tweaks like headers or crossDomain: true, no need to modify CSP.

$.ajax({
  url: 'https://en.wikipedia.org/w/api.php?' +
       'action=opensearch&format=json&maxlag=5&search=' + encodeURIComponent(searchWord),
  success(data) {
    // ...............
    // data is an object/array, you can process it directly here
    // ...............
  },
});

manifest.json should allow the URL:

  • "permissions": ["https://*.wikipedia.org/"]
  • "permissions": ["<all_urls>"]