Error: Content Security Policy: The page’s settings blocked the loading of a resource

Question

I've been trying to move a simple program I made in jQuery/HTML to a Firefox WebExtension for easy deployment. The error I am getting is:

Content Security Policy: The page’s settings blocked the loading of a resource at https://code.jquery.com/jquery-1.12.4.js (“script-src moz-extension://ef8f1295-1912-4912-ab2e-121053b6781a”).

I'm sure I'm just not doing the manifest.json file right, but for the life of me I don't know where:

{
  "description": "Makes tasks from different underwriters uniform",
  "manifest_version": 2,
  "name": "Task Creator",
  "version": ".5",
  "permissions": [
    "http://*/*", "tabs", "https://*/*"
  ],

  "icons": {
    "48": "icons/page-48.png"
  },
  "web_accessible_resources": [
    "style/popUpStyle.css",
    "script/popUpTask.js",
    "script/logicTaskFiller.js",
    "js/autosize.js",
    "style/https://code.jquery.com/ui/1.12.1/themes/base/jquery-ui.css",
    "js/https://code.jquery.com/jquery-1.12.4.js",
    "js/https://code.jquery.com/ui/1.12.1/jquery-ui.js"
  ],

  "background": {
    "scripts": ["background.js"]
  },

  "browser_action": {
    "default_icon": "icons/page-32.png"
  }
}

`js/https://code.jquery.com/jquery-1.12.4.js` is an invalid file path. Use `js/jquery-1.12.4.js` and make sure the file is there. — wOxxOm, Oct 21 '16 at 20:43
Good to know, thanks.... I can't really mark you as an answer since you are in comments huh — Branden Ham, Oct 21 '16 at 20:56
"Can I not load jquery from an external website?" You can. Should you? What's the improvement? — Xan, Oct 21 '16 at 21:06
How to override CSP: https://stackoverflow.com/questions/27323631/how-to-override-content-security-policy-while-including-script-in-browser-js-con — AAAfarmclub, Dec 11 '17 at 18:46

score 5 · Accepted Answer · edited Jul 19 '20 at 18:05

5

By default, extensions cannot load scripts, or other object resources, from the Internet. All CSS and JavaScript content used by your extension should be part of the extension package.

(This documentation is from Chrome, but the exact same policies apply to Firefox WebExtensions.)

It's possible to relax these restrictions somewhat, but this should generally be avoided -- loading resources from a remote server will make your extension fail to work properly if the user does not have Internet access, or if they are behind a restrictive firewall. Additionally, addons.mozilla.org will not accept addons which execute remotely hosted Javascript.

edited Jul 19 '20 at 18:05

Peter Mortensen

30,738
21
105
131

answered Oct 21 '16 at 20:56

As stated, this is wrong, as you _can_ relax the policy. – Xan Oct 21 '16 at 21:06
2

@Xan, While you may be able to technically relax the policy, if you intend to have a WebExtension hosted by [AMO](https://addons.mozilla.org/en-US/firefox/) (the "normal" distribution method for Firefox Extensions), any JavaScript you use should be included with the extension package. Any such common libraries should exactly match copies available for download. That they do match will be checked during the review process. If you load JavaScript from an external resource, you are unlikely to pass a review for hosting on AMO. – Makyen Oct 21 '16 at 21:22
1

I don't disagree. But the original statement was still incorrect, and now corrected. – Xan Oct 21 '16 at 21:23
@Makyen That's also a good point! I've added a note about that. – Oct 21 '16 at 21:26

Error: Content Security Policy: The page’s settings blocked the loading of a resource

1 Answers1

Linked

Related