I'm currently working on a browser extension but I'm having problems with web requests.
The extension needs to make requests to a self-hosted instance. That means that the url is different for everyone.
I'm having two problems with making the web requests (in javascript):
- Just making any web request fails. See:
fetch(`${base_url}/api/auth/status`)
.then(response => {
// catch errors
if (!response.ok) {
return Promise.reject(response.status);
};
return;
});
.catch(e => {
console.log(e);
})
Results in the following two errors:
Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
- Reading articles, it looks like I need to add the exact url's to the manifest.json file that requests will be made to. However, requests are made to any url, because the server is self-hosted. So how am I going to fix that?
I've looked at these articles and SO posts, but none seem to help: Dev, Medium, SO 1, CSPlite, Csper, SO 2
Thanks in advance for any help :)
