0

I'm trying to develop a Chrome extension that provides translation of meeting audio using Microsoft speech translation api. So far I've been able to integrate the api into my content script and trigger the translation process. But I'm getting the following errors right after

Refused to create a worker from 'blob:https://meet.google.com/64dd2a91-68d8-4dad-a670-b2f60802b7b0' because it violates the following Content Security Policy directive: "worker-src 'self'".

Refused to create a worker from 'blob:https://meet.google.com/64dd2a91-68d8-4dad-a670-b2f60802b7b0' because it violates the following Content Security Policy directive: "script-src 'nonce-2I2d8Ck8M1aHt/5Ka0zUQQ' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com https://youtube.googleapis.com https://youtube.com https://s.ytimg.com https://www.youtube.googleapis.com". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

Following is my manifest file..

{
    "name" : "Meeting Translator",
    "description" : "Real time audio to text translation",
    "version" : "0.0.1",
    "manifest_version" : 2,
    "browser_action" : {
        "default_popup" : "popup.html",
        "default_icon": {
            ...
        }
    },
    "icons" : {
        ...
    },
    "background" : {
        "scripts" : ["background.js"],
        "persistent" : false
    },
    "content_scripts" : [
        {
            "matches" : ["https://meet.google.com/*","http://meet.google.com/*"],
            "js" : [
                "js/microsoft.cognitiveservices.speech.sdk.bundle.js",
                "js/socket.io.min.js",
                "js/content.js"
            ]
        }
    ],
    "permissions" : ["tabs","contentSettings", "storage", "pageCapture"],
    "content_security_policy" : "script-src 'self'; script-src-elem 'self' data: blob:; worker-src 'self' data: blob:; object-src 'self'"

}

This is my first try in extension building. Any help is much appreciated.

ps: if anyone can please explain or refer easy material to understand CSP better.

Burhan
  • 23
  • 6
  • 1
    It's the CSP of the web page, where the content script runs, that blocks your worker. It's not related to CSP in manifest.json which is for your extension pages. Either don't use a worker or create it [inside an iframe](https://stackoverflow.com/a/15876614). – wOxxOm Feb 16 '21 at 05:48
  • Looks like your Chrome extension does not use CSP from manifest, maybe you have `` tag. You publish somewhere CSP with the rule `script-src 'nonce-2I2d8Ck8M1aHt/5Ka0zUQQ' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com https://youtube.googleapis.com https://youtube.com https://s.ytimg.com https://www.youtube.googleapis.com`. – granty Feb 16 '21 at 05:48
  • @granty it will never be used because that's not how extensions work. – wOxxOm Feb 16 '21 at 05:49
  • @wOxxOm Yeap, but while debug in localhost anything can happen, people are very talent. For example, [here](https://i.stack.imgur.com/gQ9Wq.png) a CSP in a Chrome extension is published via an HTTP header, and it's applied. – granty Feb 16 '21 at 06:30
  • @granty, CSP from manifest.json has no relation to web page CSP and is not applied. Your screenshot shows something completely unrelated. – wOxxOm Feb 16 '21 at 06:44
  • @wOxxOm Thanks for your suggestion. going with iframe seems to be the solution for my case. – Burhan Feb 17 '21 at 00:49

0 Answers0