Loading Profile...
Hi,
My extension is working on top of Gmail. Out of the Google Apps, Gmail implemented CSP policy.
I'd like to add my servers to authorized hosts for my extension in the manifest.
How can this be done for a staging extension?
Can i do that when i publish the extension to Google extension store?
Thanks
Help get this topic noticed by sharing it on
Twitter,
Facebook, or email.
Twitter,
Facebook, or email.
Gmail and CSP : customize the extension manifest
-
The log error i have from Gmail, is the following :
Refused to frame 'https://www.verifrom.com/2451534975.html' because it violates the following Content Security Policy directive: "frame-src https://*.talkgadget.google.com/ https://www.gstatic.com/mail/intl/ 'self' https://accounts.google.com/ https://apis.google.com/u/ https://apis.google.com/_/streamwidgets/ https://clients6.google.com/static/ https://content.googleapis.com/static/ https://mail-attachment.googleusercon... https://www.google.com/calendar/ https://docs.google.com/ https://drive.google.com https://*.googleusercontent.com/docs/... https://feedback.googleusercontent.co... https://www.google.com/tools/feedback/ https://*.googleusercontent.com/gadge... https://talkgadget.google.com/u/ https://talkgadget.google.com/talkgad... https://isolated.mail.google.com/mail/ https://www-gm-opensocial.googleuserc... https://plus.google.com/ https://wallet.google.com/gmail/ https://www.youtube.com/embed/ https://clients5.google.com/pagead/dr... https://clients5.google.com/ads/measu... https://www.gstatic.com/mail/ww/ https://clients5.google.com/webstore/... https://ci3.googleusercontent.com/ https://apis.google.com/additnow/ https://www.gstatic.com/mail/promo/".
I tried to customize, in Chrome staging extension, the manifest.json as following :
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'; frame-src 'https://www.verifrom.com/*';",
But i still get this error message.
Maybe Gmail ignores this directive?
Any idea?
ThanksComment -
-
Hello Emmanuel,
Crossrider only supports exporting published extensions to the Chrome Store via the Settings > Export to Chrome Web Store feature.
Of course, you can access the manifest file by unzipping the package and then editing the file. However, please be aware that we do not support extensions modified in this manner and hence you do so at your own risk -
-
Thanks Shlomo,
However you do not provide any facility to add parameters in the manifest?
So i can't get rid off my problem without customizing the manifest.
I would suggest you add, automatically, any extension resource in the "web_accessible_resources" directive in the manifest, at least.
That should solve part of the problem.
I guess we'll have more and more problems with CSP policies... not only in Gmail. And it's a good thing.-
I have forwarded your comments to the product team for their consideration in future releases. Thanks.
-
-
Thank you Shlomo
-
-
-
-
-
I’m
silly
I fixed that "issue", which is caused by Content Security Policy (CSP) in Gmail and a bug in Chrome.
For people who would have the same problem, i can give a solution.
Check here for the basis of the solution (however not responding to the case the iframe has a variable URL): https://stackoverflow.com/questions/2...
Limitations :
1/ this solution still requires to modify the extension manifest by yourself, which is not a CrossRider supported procedure. At least, until CR adds all extension resources in the web_accessible_resources directive of the manifest.
2/ "native" code is required for each browser (i had to use chrome.runtime.getURL function for Chrome) -
-
I’m
thankful
Shlomo,
If you have any idea for using an appAPI function instead of chrome.runtime.getURL to get an actual resource URL, i take it!
Thanks again- view 1 more comment
-
-
Thank you Shlomo.
Actually, i found a much simpler solution which fits with all browsers and does not require anything specific in the manifest or its equivalent.
1/ load the page through AJAX
2/ Insert an iFrame (no src or srcdoc)
3/ split page loaded in head and body
4/ inject head with IFRAME.document.head.innerHTML=headFromAJAX
5/ inject body IFRAME.document.body.innerHTML=bodyFromAJAX
You eventually need to add a tag in head element, if some links in the body are relative to ajax URI.
This works on Chrome, Safari and Firefox within a page restricting iframes sources with a CSP directive. -
-
Thanks for sharing ... if you are able to share some code for the benefit of others, I'm sure they'll appreciate it.
-
-
-
EMPLOYEE
