0

I'm working with chrome extension to use giphy API. Basically user from any website point of view can make a request to giphy to get some gifs if he makes double clicks on some words on those websites. For example, the user clicks on 'car' word in some article and then makes a request to giphy, he gets gifs proposals.

Plugin is working as expected for many websites, but not for all. In one (for now) website the request is ok, the response contains gifs, extension background receiving that gifs, but after trying to add these gifs to the DOM (content script popup) network shows (canceled) and src of that files have value = unknown.

I suppose it's related to some security reasons, am I right? I yes, what can I do, to insert gifs to my extension popup safely? Are there any security risks for the user when he gets gifs from giphy?

Przemo
  • 477
  • 1
  • 7
  • 16
  • Check the first response of the site in devtools, see if it has `content-security-policy` header. It may restrict external images via `img-src` or other means (you can use an online csp viewer/analyzer). In that case you'll have to use `data:` encoding or create an iframe pointing to html file in your extension (see [web_accessible_resources](https://developer.chrome.com/extensions/manifest/web_accessible_resources)), inside that iframe you dhow anything you want. – wOxxOm Jun 09 '20 at 14:12
  • Check the first response on the website or response from giphy? I can't find any csp in the header. Anyway, maybe I will try with iframe, but I don't want to use any risky (from security point of view) methods to handle this task. So the biggest question is: is it secure? – Przemo Jun 09 '20 at 14:28
  • The site's response. CSP header defines what the page can load. https://puu.sh/FUqst/9b976ea9cd.png – wOxxOm Jun 09 '20 at 14:34
  • 1
    As for risk and security concerns, it sounds vague so I don't know what you mean. The idea for an iframe pointing to a file listed in web_accessible_resources is that it's excluded from CSP, at least in Chrome. – wOxxOm Jun 09 '20 at 14:38
  • Thx for the link. No, I don't see and CSP on that page. Weird. I mean, that website canceled inserting gifs to context script popup for some reason. I don't know the reasons, so I suppose it's because it can be somehow risky to that site, and I'm just curious about that reasons because I'm working with extension and I don't want the situations that my extension is some kind of bridge for XSS, etc ;) – Przemo Jun 09 '20 at 14:56

0 Answers0