When an externally-loaded script (in a Chrome extension intended to augment Gmail) tries to make an XHR / AJAX request, it fails.
Refused to load the script 'https://<domain-path>.js?' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://talkgadget.google.com/ https://www.googleapis.com/appsmarket/v2/installedApps/ https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/js/ https://www.google.com/tools/feedback/ https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://ssl.google-analytics.com/ https://apis.google.com/_/scs/abc-static/ https://apis.google.com/js/ https://clients1.google.com/complete/ https://apis.google.com/_/scs/apps-static/_/js/ https://ssl.gstatic.com/inputtools/js/ https://ssl.gstatic.com/cloudsearch/static/o/js/ https://www.gstatic.com/feedback/js/ https://www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/".
Because of this: http://googleonlinesecurity.blogspot.com/2014/12/reject-unexpected-content-security.html
And from this question: Gmail Content Security Policy on Chrome extensions
The solution works for injecting an externally loaded script into the page. However, if that scripts makes XHR request, it's blocked the same way:
The workflow is:
- Extension launches for gmail.com, injecting a local file into head (preloader.js)
- Preloader loads an external Javascript file (actual-code.js) by injecting a tag.
- Actual extension code tries to make an AJAX / XHR request and it's blocked by Gmail's CSP.
This doesn't seem to be solvable by updating the CSP in the extension, because those policies apply to content scripts, not any manually injected scripts.
Possible solution with drawbacks: - Include the full code in the extension (harder to keep up to date, tied to extension releases)
Any other ideas?
