Nonce or hash neded for inline JS execution with Shortkeys

[povoloka]

Hi,

I am using Shortkeys with Dropbox to grab files path from browser address bar. Since yesterday it doesn't work - console echoes after pressing shortcut: "Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' https://www.dropbox.com/static/api/ https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js 'nonce-My20cdvnPoIjcndfFw9sYH7gvs8='". Either the 'unsafe-inline' keyword, a hash ('sha256-TecPFdRXpOdzuusl+jgCFoR6XHmyaC+ihkUUj+LCIbc='), or a nonce ('nonce-...') is required to enable inline execution".

Is there anything that can be done?

[samx9]

Same here, been having this issue since yesterday :(

[crittermike]

See #598 - the upgrade had issues. I'm waiting for the webstore team to approve my reverted package which should get you back in working order.

[samx9]

See #598 - the upgrade had issues. I'm waiting for the webstore team to approve my reverted package which should get you back in working order.

Thank you Mike

[povoloka]

Well, this came back after last Chrome update :(

[tjhorner]

Playing around with a few potential solutions to this, and it looks like this API is what's needed to fix this: https://developer.chrome.com/docs/extensions/reference/api/userScripts

It will require a bit of a refactor, but it looks viable. I can try this out and possibly submit a PR if successful.

[tjhorner]

Ok, here's what I've come up with so far. When the shortcut keys are updated, a userscript is registered that contains all the handlers and a snippet to listen to the shortkeys_js_run DOM event, which now sends the key instead of the actual JS code. This allows the extension to avoid eval'ing or injecting a <script> element—both of which would be forbidden by a strict CSP—while still remaining in the main isolated world (rather than the userscript isolated world). Since all the user code is contained in the userscript, it's exempt from the document's CSP so there is no violation. As opposed to the previous method of injecting a <script> into the DOM, which would be affected by the CSP.

Here is an example of a generated userscript:

const handlers = {"shift+a":function() {console.log("hello2")},};
function registerHandlers() {
    document.addEventListener('shortkeys_js_run', function (e) {
      if (handlers[e.detail]) {
        handlers[e.detail]();
      }
    });
  }
registerHandlers();

Here is the branch I've made an MVP implementation in. It's very messy and there are lots of areas of improvement (in addition to the messaging to the user that they need to enable developer mode for JS to work now), but I'm just looking for feedback on the general concept.

If the maintainers are good with this strategy, I can clean it up and get this merged, or y'all can take it over from here. Whatever works best!

[vtexperts]

@tjhorner could you provide built .zip? I don't have an option to build it myself right now. I use gmail extensively with shortkeys and will provide feedback. Thanks

[piotr-dobrogost]

This issue probably manifests with the following error
Uncaught TypeError: Failed to set the 'textContent' property on 'Node': This document requires 'TrustedScript' assignment.
(Adding this info here as there are already two duplicates (#621 and #622) probably due to above error message not being mentioned in this issue.)

[pjeby]

Also, as someone mentioned above, the TrustedScript is an issue that cropped up after a recent update from the webstore. I had to accept new permissions and was told Shortkeys was going to run in the background, just like when the first broken release came out.

Could perhaps the webstore have put back out the broken version?

[vtexperts]

I reverted back to version 4.0.3 and it is working for the time being.

[minerharry]

any updates on this? still seems broken on firefox

[ChaosFreak]

Is there an update on this? I am also getting this error:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem 'self' 'nonce-83569ed9-82b7-4c15-8f8f-9a70119f2f53' 'sha256-RvbVrdDS11FSnQaULCOgXPA5u0nMP2Im1d2pGiRBGC4=' 'sha256-eMuh8xiwcX72rRYNAGENurQBAcH7kLlAUQcoOri3BIo=' auth0.openai.com challenges.cloudflare.com chatgpt.com/ces https://*.chatgpt.com https://*.chatgpt.com/ https://*.oaistatic.com https://api.openai.com https://apis.google.com https://chat.openai.com https://chatgpt.com/ https://chatgpt.com/backend-anon https://chatgpt.com/backend-api https://chatgpt.com/graphql https://chatgpt.com/public-api https://chatgpt.com/voice https://docs.google.com https://jidori.g1.internal.services.openai.org https://js.live.net/v7.2/OneDrive.js https://oaistatic.com https://snc.apps.openai.com https://snc.chatgpt.com/backend/se https://tcr9i.chat.openai.com https://tcr9i.chatgpt.com/ https://www-onepick-opensocial.googleusercontent.com wss://*.chatgpt.com wss://*.chatgpt.com/". Either the 'unsafe-inline' keyword, a hash ('sha256-TK8RALKMi8mgr/S8ByjgBnsJoTDbMfDJPXi4/UatUjs='), or a nonce ('nonce-...') is required to enable inline execution.

[tjhorner]

I have a working fix, I'm just waiting for the maintainers to provide feedback. If they are unresponsive I can publish a version of the extension myself as well

[crittermike]

Apologies for the wild delay @tjhorner! I'm attempting to catch up on issues now. Your approach looks great! If you want to clean it up and PR it, I'd be happy to review/accept.

[tjhorner]

It's all good @crittermike! I'll go ahead and make the PR sometime this weekend.