We develop browser extensions for Google Chrome, Firefox and Safari. Our extension displays an iframe in Gmail, Yahoo Mail, Hotmail and AOL Mail. The iframe is loaded from an external HTTPS website (such as https://ws-web.appspot.com/login#5635505603477504, where the number is the user's id and will change per user). We want to do the same with Google's Inbox (in Chrome), but when we open the iframe in Inbox we get this error message in the console:
Refused to frame 'https://ws-web.appspot.com/login#5635505603477504' because it violates the following Content Security Policy directive: "frame-src https://*.talkgadget.google.com/ 'self' https://talkgadget.google.com https://accounts.google.com/ https://ssl.google-analytics.com/ https://feedback.googleusercontent.com/resources/ https://www.google.com/tools/feedback/ https://plus.google.com/ https://docs.google.com/ https://clients5.google.com/pagead/drt/dn/ https://clients5.google.com/ads/measurement/jn/ https://clients6.google.com/static/ https://mail.google.com/mail/ https://mail-attachment.googleusercontent.com/attachment/".
And the body of the iframe is empty. This error happens only in Inbox, and not in the other websites above. Is it possible to fix this bug and show the iframe in Inbox?
Edit: I tried to add "https://ws-web.appspot.com/*" to "web_accessible_resources" in manifest.json, but it doesn't solve the problem.
