1

So i'm grabbing a tweet and having it sent to my extension which then uses that in a HTML popup. I seem to be having issue with the actual loading of the tweet design, I'm using http://platform.twitter.com/widgets.js has a local file since google chrome extensions don't allow for inline scripting.

However, the widgets.js file its self makes a call which is blocked by google.

widget.js:1 Refused to load the script 'https://platform.twitter.com/js/tweet.3f0c77e9c86dd5bae672ba9948814692.js' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Function.bind.test.window.__twttr.window.__twttr.widgets.window.__twttr.widgets.init.e.e @ widget.js:1 background.js:39 Uncaught (in promise) TypeError: Cannot read property 'contentDocument' of undefined at background.js:39 at

So i'm not really sure on how to go about it, is there another method I can embed tweets? I basically followed this https://ctrlq.org/code/19933-embed-tweet-with-javascript but instead of doing script sync src="https://platform.twitter.com/widgets.js"> I just downloaded the file and did script src="widget.js">

Cobwebster
  • 23
  • 4
  • Include `https://platform.twitter.com` in the extension's Content Security Policy. See [documentation](https://developer.chrome.com/extensions/contentSecurityPolicy). – Iván Nokonoko Feb 09 '18 at 14:36
  • There were warnings when trying to install this extension: Ignored insecure CSP value "'https://platform.twitter.com/'" in directive 'script-src'. CSP directive 'object-src' must be specified (either explicitly, or implicitly via 'default-src') and must whitelist only secure resources. ------------------------- I basically did this in my manifest. ` "content_security_policy": "script-src 'self' 'https://platform.twitter.com/'",` – Cobwebster Feb 09 '18 at 20:05
  • Try eliminating the inverted commas around the URL and the last forward slash. Also you have to define `object-src` policy. Something like `"content_security_policy" : "script-src 'self' https://platform.twitter.com; object-src 'self'"`. – Iván Nokonoko Feb 10 '18 at 20:29
  • Added that in, didn't seem to fix it. https://pastebin.com/enN9yQEB – Cobwebster Feb 11 '18 at 00:11
  • The error indicates which URL you have to include on CSP. Add `https://cdn.syndication.twimg.com` to the `script-src` list. – Iván Nokonoko Feb 11 '18 at 08:47
  • https://pastebin.com/yseK54x4 Tried that, same result. Not sure if I did it correctly, I tried 2 examples. – Cobwebster Feb 12 '18 at 02:16
  • I added https://platform.twitter.com/js/tweet.3f0c77e9c86dd5bae672ba9948814692.js and it seemed to of fixed it, im not sure if that url only applies for 1 tweet, not sure if I changed the tweet it would allow it. – Cobwebster Feb 12 '18 at 06:07
  • Use your first attempt CSP but delete `/widgets.js`. Something like `"content_security_policy" : "script-src 'self' https://platform.twitter.com https://cdn.syndication.twimg.com; object-src 'self'"` – Iván Nokonoko Feb 12 '18 at 07:46

0 Answers0