Question

179

content security policy issue with chrome extension

rated 0 times [ 180] [ 1] / answers: 1 / hits: 7657 / 11 Years ago, fri, december 6, 2013, 12:00:00

Trying to load different contents(can be pdf, swf etc.) in an 'iframe' through javascript in an chrome extension application. The content is loaded using the data URL scheme as :

// this javascript is registered in the html file and the LoadFunction is registered inside the DOMContentLoaded event on the click of a button.

void LoadFunction()

{

window.parent.document.getElementById(page_data).src = 'data:application/pdf;base64,'    + 'base64 encoded data'; (base64 data is received from a c++ class)

}

but as soon as above function is called, a content security policy error is raised as :

Refused to load plugin data from 'data:application/pdf;base64,JVBERi0xLjQNCiXi48/TDQoxIDAgb2JqDQo8PA0KL1R5cGU…mRvYmoNCjkgMCBvYmoNCjw8DQovVHlwZSAvRm9udA0KL1N1YnR5cGUgL1R5cGUxDQovQmFzZUZ' because it violates the following Content Security Policy directive: default-src 'self'

But surprisingly this error is NOT raised when the data url is changed to : 'data:image/png;base64,' + 'base64 encoded data'; and the image gets loaded into iframe successfully.

As far as i know, this error is raised only when inline code is executed directly into html file but this isn't the case here and if that is the case then why it does not gets raised for image files.

Also if i try setting the content security policy in the manifest.json file as :
content_security_policy: script-src 'self'; object-src 'self' ; frame-src 'self' data:

then the error changes to :
Refused to load plugin data from 'data:application/pdf;base64,' because it violates the following Content Security Policy directive: object-src 'self'

so probably object-src needs to be set, but not sure what it should be.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

stefanicarolinat

Add To Favorites

Follow

Total Points: 145

Total Questions: 91

Total Answers: 93

Location: Cambodia

Member since Thu, Oct 7, 2021

3 Years ago

stefanicarolinat questions

1 Cannot fetch data from localhost using Sveltekit

Mon, Nov 15, 21, 00:00, 3 Years ago

1 Add nonce to script tag

Fri, Apr 16, 21, 00:00, 3 Years ago

1 How do you input an ASCII art image into the console in JS?

Thu, Oct 15, 20, 00:00, 4 Years ago

1 jest: How to teardown after (just) an individual test

Fri, Jul 17, 20, 00:00, 4 Years ago

1 How to run code (Google/Doubleclick Ads) without block main thread

Tue, Nov 26, 19, 00:00, 5 Years ago

View All

answered 11 Years ago jarod · Accepted Answer

According to the documentation of the Chrome extension's Content Security Policy,

Note that both script-src and object-src are defined by the policy. Chrome will not accept a policy that doesn't limit each of these values to (at least) 'self'.

It is not possible to relax your extemsion's CSP to accept the PDF.

However...

You can define a sandboxed extension resource, i.e. a page within your extension that is not affected by the extension's CSP. At the same time, the page will lose its access to the Chrome extension API, to protect against security vulnerabilities in your page. If you wish to communicate between your extension and the sandboxed page, use postMessage - e.g. as shown at Using eval in Chrome Extensions. Safely..