Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content-Security-Policy prevents MathJax from loading #4

Closed
emichael opened this issue Mar 9, 2014 · 3 comments
Closed

Content-Security-Policy prevents MathJax from loading #4

emichael opened this issue Mar 9, 2014 · 3 comments
Assignees
@emichael
Labels
bug
Milestone
v0.3

Comments

@emichael
Copy link
Owner

emichael commented Mar 9, 2014

Unfortunately, sites that set Content-Security-Policy in their headers prevent MathJax from loading. This is unfortunate, but I'm not sure what to do about it since (AFAIK) MathJax relies on being able to put scripts in the DOM and having them be loaded by the browser.

At the very least, we should make sure that MathJax.Hub is defined in retexChecker.js before trying to Queue the typesetting to avoid throwing a million exceptions.
@emichael emichael added the bug label Mar 9, 2014
@emichael emichael self-assigned this Mar 9, 2014
@emichael emichael added this to the v0.3 milestone Mar 9, 2014
emichael added a commit that referenced this issue Mar 17, 2014
@emichael
Adding full mathjax library to extension as a first step to fixing #4.
fe9832d
@emichael
Copy link
Owner Author

It looks like I'm going to have to change the way MathJax.Ajax does loading to make sure all of the javascript ends up in the content_script context instead of the page context.

@emichael
Copy link
Owner Author

Nope, changing MathJax.Ajax won't fix things it looks like. (Unless I can circumvent the CSP entirely in the content_script environment by setting it myself.)

By simply loading MathJax from the extension library version with chrome.extension.getURL, I was able to circumvent most of the CSP (all of the necessary files were actually loading). The problem is now with EVAL in MathJax.js:265. eval.call is not allowed, and neither is injection via an inline script.

@emichael emichael mentioned this issue Mar 17, 2014
Closed
@emichael
Copy link
Owner Author

Even better idea! Use chrome.webRequest to modify the CSP to allow MathJax's CDN (and possibly inline scripts if necessary).
This should work......

emichael added a commit that referenced this issue Mar 18, 2014
@emichael
Adding onHeadersReceived listener to modify Content-Security-Policy. …
1354226 
…Partially fixes #4
emichael added a commit that referenced this issue Mar 18, 2014
@emichael
Adding option to add unsafe-eval and unsafe-inline to script-src in C…
1c9f8c8 
…SP. Fixes #4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emichael emichael

Labels
bug
Projects
None yet
Milestone
v0.3
Development

No branches or pull requests
1 participant
@emichael