3

I am writing my first ever chrome extension where I need to load the Facebook page plugins SDK on my popup.html for me to display the timeline feed. However, the SDK failed to load citing CSP issues.

Refused to load the script 'https://connect.facebook.net/en_GB/sdk.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Upon doing some research, I found this guide for manifest v3 (I am using the same version) but it's confusing for me on how I could write the policy to allow the script above.

There are no examples online for the v3 (plenty of them are available for v2.

Any help would really be appreciated.

Thank you :)

Naser Mohd Baig
  • 155
  • 1
  • 13
  • 4
    ManifestV3 forbids loading external scripts as stated in the guide you've linked. You can put the script into extension directory and load it as a local file but I doubt it'll work though because facebook SDK loads itself dynamically from the server. There is no solution currently. ManifestV3 is still in its early test stage so maybe in the future there'll be some way to use such scripts. Meanwhile you can only do it in a separate [sandboxed page](https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/), not in the background script. – wOxxOm Jan 18 '21 at 06:33
  • @wOxxOm but this is in the popup and the restrictions was for the the content scripts, right? – Naser Mohd Baig Jan 18 '21 at 08:05
  • No, CSP restrictions are for all extension pages/scripts. – wOxxOm Jan 18 '21 at 08:43
  • @wOxxOm oh okay, guess I have to revert back to v2 for now. Could you please let me know if the policy below is good/safe for what I am trying to do? `"content_security_policy":"script-src 'self' https://connect.facebook.net; object-src 'self'"` – Naser Mohd Baig Jan 18 '21 at 13:15
  • i'm also trying to use Content Security Policy stuff... but nothing works on Manifest v3.... perhaps there's something i need to write down before everything clear then :D – gumuruh Jan 06 '22 at 10:52

0 Answers0