google.com" in directive 'script-src'

Asked Sep 19 '22 at 17:20

Active Sep 19 '22 at 17:20

Viewed 860 times

I am trying to add content security policy to my V3 manifest file for applying reCaptcha v3 to my chrome extension but I keep getting the following error

'content_security_policy.extension_pages': Insecure CSP value "https://google.com" in directive 'script-src'.

My CSP is given below, what am I doing wrong?

"content_security_policy": {
  "extension_pages": "script-src 'self' https://*.google.com https://*.gstatic.com; object-src 'self'"
}

asked Sep 19 '22 at 17:20

Haseeb Zahid

3

ManifestV3 disallows external code by design, intentionally. You'll need to find an alternative distribution for this library, try looking on their forums. – wOxxOm Sep 19 '22 at 19:05
1

The same issue applies to Google Analytics and `https://ssl.google-analytics.com`. Unfortunately, like most v3 migration requirements, the [v2 GA page](https://developer.chrome.com/docs/extensions/mv2/tut_analytics/) warns about v3 but doesn't link to any v3 equivalent guidance. I'm guessing that means you need to download the remote service script (reCaptcah for you, GA for me) and include it directly in your extension. – patridge Sep 23 '22 at 23:02
@Haseeb, got the solution yet? for v3 – Dee Jan 04 '23 at 13:55
1

@Dee Nope. I moved on to phone authentication instead. – Haseeb Zahid Jan 05 '23 at 09:04

'content_security_policy.extension pages': Insecure CSP value "https://google.com" in directive 'script-src'

0 Answers0

Linked