Issue metadata
Sign in to add a comment
|
chrome app throwing error : “Refused to load the script because it violates the following Content Security Policy directive”
Reported by
sreejith...@impelsys.com,
Jul 21 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce the problem: 1. Download Lerner eReader chrome app 2. Login and download any interactive book 3. Open the downloaded book What is the expected behavior? Content should load What went wrong? Content is not loading, When i check console its throwing error "Refused to load the script because it violates the following Content Security Policy directive" Did this work before? Yes upto 56 its working fine Chrome version: 57 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 26.0 r0 mine is a chrome app, and i know that inline style and scripts are not allowed in the html. In my case the content im trying to load contains inline scripts. But its works fine until chrome version 56.
,
Jul 24 2017
First, Chrome 56 is very old. Are you seeing issues on the current stable? If so, can you help me understand the issue in a little more detail? The whole console error, for instance? And maybe some of the code that is throwing the error in the first place? Thanks! (56 might have been around the time that `blob:` was excluded from `*`. Does that sound like it might affect your app? If so, add `blob:` to the relevant directive's source list, and see if it helps?)
,
Jul 24 2017
Hi, Bellow is the error message that im getting in console.
"Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-BT+JdBasK7kJNAxSjO0VRwcY3RyyM/HFzC2AUYFEJHg='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.".
In my case, i have an iframe and im pointing that iframe to an xhtml file which contain both inline style and script.
The app is still working in version 56 with the same code set, but not working in 57+.
I tried to load my app by removing those inline style and script from the xhtml file, and that time its loading fine(in latest chrome 59).
Bellow is the "CSP" that i have given in my manifest,
"content_security_policy": "frame-src 'self' 'asd.com/page.xhtml'; script-src 'unsafe-inline' 'unsafe-eval' 'self' blob: filesystem: chrome-extension-resource: ; default-src 'unsafe-inline' 'unsafe-eval' 'self' blob: filesystem: chrome-extension-resource:; allow 'self'; media-src *; img-src *; object-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'self' 'unsafe-inline';"
,
Jul 24 2017
Is the `<iframe>` loading a `blob:` or `data:` URL? If so, we're imposing the parent's policy onto the frame, which I think might also have been fixed around the same timeframe. Also: you need to drop the single-quotes from `'asd.com/page.xhtml'`. It's not a keyword, so it shouldn't be quoted. :)
,
Jul 24 2017
Yes, Im loading a blob from the filesystem(which is that xhtml file)
,
Aug 1 2017
`blob:` URLs inherit the policy from their parent. That's both intentional and matches the spec (see step #1 of https://w3c.github.io/webappsec-csp/#initialize-document-csp). I don't believe we're going to change that behavior (especially not since it matches other vendors). Perhaps it will be possible for you to stop executing inline script in the content you put into the blob and load into the Apps's context? |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ajha@chromium.org
, Jul 21 2017Components: -Blink Blink>SecurityFeature
Labels: TE-NeedsTriageFromMTV