1

I've made a chrome extension with the following line in the manifest.json, so that I can get data via an ajax request.

"content_security_policy": "script-src 'self' http://localhost; object-src 'self'",

I want to test the extension with my live site, so I changed it to:

"content_security_policy": "script-src 'self' http://www.example.com; object-src 'self'",

but now the extension doesn't initialize when I start chrome.

xylar
  • 7,433
  • 17
  • 55
  • 100

2 Answers2

1

To make cross-origin XHRs, you don't need to care about CSP. What you need to add in the manifest is host permissions for those hosts you need to access. Read https://developer.chrome.com/trunk/extensions/xhr.html for more information.

On the other hand, if your extension loads scripts (<script src="..."></script>) from an external web server, you must be aware of CSP. First, the server hosting the scripts must be HTTPS. Then, whilelist it in CSP as described in https://developer.chrome.com/trunk/extensions/contentSecurityPolicy.html#relaxing-remote-script.

Whitelisting a HTTP origin in 'script-src' is prohibited to prevent man-in-the-middle attacks and other security isuses so that your extension doesn't load.

方 觉
  • 4,042
  • 1
  • 24
  • 28
  • 1
    Thanks. I had to amend it to `"content_security_policy": "script-src 'self' https://www.example.com; object-src 'self'"`. I just need to find a way to get my site working via https now. – xylar Feb 25 '13 at 21:44
0

Have you added permissions, if not then try this, hope it would work

,
 "permissions": [
   "http://www.example.com/*", 
   "tabs"
 ],
"content_scripts": [
  {
    "matches": [
        "http://www.example.com/*"
    ],
    "js": [
        "js/myScript.js"
    ]
  }
]
Raghvendra Parashar
  • 3,883
  • 1
  • 23
  • 36