0

I have a Chrome extension that makes a POST request to my website from the extension's background script. I get the following error (shown in Chrome's extension manager):

Refused to connect to 'https://my.website.com/path/' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

It's honestly not even clear to me if I need to change something in the js code or server-side.

background.js:

var xmlHttp;

function makerequest(){
    xmlHttp=new XMLHttpRequest();
    xmlHttp.open("POST", "https://my.website.com/path/",true);
    xmlHttp.onreadystatechange = got_response;
    var formData = new FormData();  
    xmlHttp.send(formData); 
}

function got_response(){
    if (xmlHttp.readyState == 4){
         alert(xmlHttp.responseText);  
    }
}

The manifest includes:

"permissions": ["activeTab", "*://my.website.com/*","contextMenus"],

"background": {
    "scripts": ["background.js"],
    "persistent": false
  },

"content_security_policy":"connect-src 'self' https://my.website.com/*",

I have seen that there are other related question/answers. However, they are either trying to access someone else's website (not one I control) or there is an issue with using inline code, which doesn't seem to be the issue here since the code is in background.js (or if it is, please explain!). If you suggest another answer, or vote to close, please please actually checks that the other answer answers THIS question.

user984003
  • 28,050
  • 64
  • 189
  • 285
  • There should be no need for `content_security_policy`. Try to remove it (and make sure to reload the extension on chrome://extensions page). If it won't work there might be a bug in the browser so try a much older portable version or Chrome Canary. – wOxxOm Feb 25 '20 at 05:31

1 Answers1

0

You need to remove the trailing asterisk from your CSP string. Asterisks are not interpreted as wildcard characters in the path part of a source identifier in CSP strings. Your current CSP string only allows connections to the literal URL https://my.website.com/*.

Content Security Policy Level 2 specification explicitly says:

The rules for matching source expressions that contain paths are simpler than they look: paths that end with the '/' character match all files in a directory and its subdirectories. Paths that do not end with the '/' character match only one specific file.

Apart from that, the CSP string in the manifest should limit script-src and object-src (either explicitly or using default-src). If it doesn't do that, Chrome displays warnings on the extension details page.

The CSP line in your manifest should therefore look like this:

"content_security_policy":"default-src 'self'; connect-src 'self' https://my.website.com/",
Petr Srníček
  • 2,296
  • 10
  • 22
  • It still fails with the same error. I tried both h ttps://my.website.com/ and ht tps://my.website.com/path/ for connect-src – user984003 Feb 25 '20 at 13:31
  • @user984003 That is strange, I don't get any errors in the current official version of Chrome (80.0.3987.122) in Windows. What version of Chrome are you using? You could try inspecting the CSP headers of the generated background page in DevTools (it will show on the Network tab after reloading just like any other page). – Petr Srníček Feb 25 '20 at 14:27
  • I'm using the latest, non-beta Chrome. Could it be an issue with what is set for the website server-side? – user984003 Feb 25 '20 at 19:01
  • The URL doesn't appear on the Networks tab. So I guess it is blocked from even being called. – user984003 Feb 25 '20 at 19:03
  • It works (even without any content-security param) if I run it from JS that is injected by the background.js page instead of from the background.js spage. Maybe I'll just have to do it that way, although I wanted to try directly from background.js – user984003 Feb 25 '20 at 19:07
  • The background script runs in a separate hidden page which has its [own separate devtools](https://stackoverflow.com/a/10258029). – wOxxOm Feb 25 '20 at 19:27