I am running selenium with headless chrome and getting error refused to load the image , because it violates the following Content Security Policy directive. I am parsing third party url. So what change or option i need to set in selenium to remove error.
Asked
Active
Viewed 995 times
0
undetected Selenium
- 183,867
- 41
- 278
- 352
Swapnil
- 5
- 3
-
This might help: https://stackoverflow.com/questions/53304222/relaxing-chromes-csp-while-running-tests-webdriver-content-security-policy – AndiCover Mar 04 '19 at 11:36
1 Answers
0
Content Security Policy
Content Security Policy a tool which developers can use to lock down their applications in various ways, mitigating the risk of content injection vulnerabilities such as cross-site scripting, and reducing the privilege with which their applications execute.
CSP is not intended as a first line of defense against content injection vulnerabilities. Instead, CSP is best used as defense-in-depth. It reduces the harm that a malicious injection can cause, but it is not a replacement for careful input validation and output encoding.
Content Security Policy Directives
As per Content Security Policy Directives to mitigate the risk of cross-site scripting attacks, web developers should include directives that regulate sources of script and plugins. They can do so by including:
- Both the script-src and object-src directives, or
- a default-src directive
In either case, developers should not include either 'unsafe-inline', or data: as valid sources in their policies. Both enable XSS attacks by allowing code to be included directly in the document itself; they are best avoided completely.
Chrome Content Security Policy
In order to mitigate a large class of potential cross-site scripting issues, Chrome's extension system has incorporated the general concept of Content Security Policy (CSP) . This introduces some fairly strict policies that will make extensions more secure by default, and provides you with the ability to create and enforce rules governing the types of content that can be loaded and executed by your extensions and applications.
In general, CSP works as a block/allowlisting mechanism for resources loaded or executed by your extensions. Defining a reasonable policy for your extension enables you to carefully consider the resources that your extension requires, and to ask the browser to ensure that those are the only resources your extension has access to. These policies provide security over and above the host permissions your extension requests; they're an additional layer of protection, not a replacement.
On the web, such a policy is defined via an HTTP header or meta element. Inside Chrome's extension system, neither is an appropriate mechanism. Instead, an extension's policy is defined via the extension's manifest.json file as follows:
{
...,
"content_security_policy": "[POLICY STRING GOES HERE]"
...
}
Solution
- Create a new Chrome Profile
- Browse to the extension page for Disable Content-Security-Policy and Add to Chrome permanently.
Use the same customized Chrome Profile along with the extension while initiating your script:
from selenium import webdriver from selenium.webdriver.chrome.options import Options options = Options() options.add_argument("user-data-dir=C:\\Users\\user_name\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2") driver = webdriver.Chrome(executable_path=r'C:\path\to\chromedriver.exe', chrome_options=options) driver.get("https://www.google.co.in")
tl; dr
undetected Selenium
- 183,867
- 41
- 278
- 352