1

I manage a google chrome extension that allows the user to add any CSS and JS to any website: https://chrome.google.com/webstore/detail/rweb/opiijdljnckiadkfcjjmajieannaigmd The live version is manifest version 2, and it's time to update to MV3. I've updated a few other extensions to MV3 recently, no problem, but this one is special, because it doesn't have a concrete goal, but lets the user decide whatever to do to the loaded website. The user saves JS & CSS per domain/host, and the extension's content script runs that on every matching page.

In MV2 the content script loads the code from storage, and then adds style and script tags to the page's DOM. That way the configured JS runs INSIDE the webpage context, not content script context, so it has access to jQuery state and global functions etc. MV2 works perfectly.

In MV3 it's not allowed to add a script with arbitrary code anymore. It complains about CSP, even for websites that don't use CSP. I assume Chrome knows the script comes from an extension and that's a special kind of CSP.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-AlO1/1Id4iveKnVIfYjiiyBnWJi9Q+yh6WC1bMbRbFk='), or a nonce ('nonce-...') is required to enable inline execution.

(CSS still works, but maybe that's just because I'm testing on websites without CSP.)

How can my extension run arbitrary code through a content script? I have tried:

  • Like MV2: content script adds a script tag with custom code - CSP error
  • Use scripting through a message: content script sends a message with the JS code to the extension service worker, which runs chrome.scripting.executeScript() BUT that needs a function, not string, so the function takes the code as argument and creates a script element like the MV2 method above - CSP error
  • Inject the JS into the page as non-JS (in a <script type="notjs">) and then use runtime.getURL() and "web_accessible_resources" to run an extension script that converts that notjs into a real script - CSP error

Adding the sha256-... hash as integrity attr doesn't work. I don't know why the error message says it should help, but it doesn't.

CSP is really kicking my ass here. I understand the improved security of MV3, and I mostly agree, but the whole point of this extension is to run ANY user-configured JS on any website. I want the user to be in charge, not the browser's CSP. Is there any way to do this in MV3?

I've created a very simple reproducible demo extension that you can "Load unpacked" locally: https://github.com/rudiedirkx/content-script-js-demo It uses the first (MV2) method to run arbitrary JS, and it fails with the above CSP error.

Rudie
  • 52,220
  • 42
  • 131
  • 173
  • 1
    While there is a [workaround](https://stackoverflow.com/a/70949953) technically, but practically you're screwed just like Tampermonkey or Violentmonkey because the web store forbids such extensions and the ManifestV3 airheads in Chromium/Google didn't yet implement an API to allow userscripts (user-supplied code). – wOxxOm Sep 26 '22 at 22:05
  • I had tried that one, except for the `world: 'MAIN'`. That's perfect. I want to run in the page context. Thanks! I feel bad now for creating a duplicate question. – Rudie Sep 27 '22 at 18:24

0 Answers0