Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security policy problem inside a Chrome extension #135

Closed
simov opened this issue Mar 2, 2013 · 4 comments
Closed

Security policy problem inside a Chrome extension #135

simov opened this issue Mar 2, 2013 · 4 comments

Comments

@simov
Copy link

simov commented Mar 2, 2013 

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".
 compiler.js:291

Chrome Extensions Content Security Policy
Content Security Policy 1.1

I can alter the policy string inside my manifest.json

"content_security_policy": "script-src 'unsafe-eval'; object-src 'self'"

but I shouldn't do that according to the chrome's documentation.
@oreoshake
Copy link

If you load the same page in Firefox, it will provide more information about what the specific violation is (line number code snippet).

The object-src 'self' seems unrelated? That's usually flash related/Java-related.

@simov
Copy link
Author

simov commented Mar 4, 2013 

<!DOCTYPE html>
<html>
<head>
    <meta http-equiv="content-security-policy" content="script-src 'self'" />
    <script src="/jslib/hoganjs/template.js" type="text/javascript" charset="utf-8"></script>
    <script src="/jslib/hoganjs/compiler.js" type="text/javascript" charset="utf-8"></script>
    <script src="security-policy.js" type="text/javascript" charset="utf-8"></script>
</head>
<body>

</body>
</html>

security-policy.js

var template = Hogan.compile('<p>{{hi}}</p>');
var output = template.render({hi: 'hello'});
console.log(output);

If you comment out the meta tag you get <p>hello</p> in the console, but with the security policy enabled you get the above error compiler.js:291. That's on Chrome, Firefox does not implement defining policy inside the html. Inside a Chrome extension this policy is enabled by default i.e. I don't define it inside the html but the error is exactly the same.

@manu
Copy link

manu commented Aug 6, 2013

We are using https://npmjs.org/package/helmet and it gives

Error: call to Function() blocked by CSP

https://developer.mozilla.org/en-US/docs/Web/Apps/CSP say we cannot use the Function() constructor.

Can you check https://github.com/twitter/hogan.js/blob/master/web/1.0.0/hogan.js#L387

@oreoshake
Copy link

Just add 'unsafe-eval' to your policy. It is the only way it will work.

unsafe-eval is not ideal, but it's much less risky than unsafe-inline. This is a common problem, especially with template languages. We're working w/ the w3c on ways to solve this. That being said, I'm sure there's a possible code fix. This is just a bandaid solution.

@sayrer sayrer closed this as completed Aug 19, 2013
@dmitryevseev dmitryevseev mentioned this issue Dec 26, 2013
Closed
@geevade geevade mentioned this issue Apr 11, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@manu @sayrer @oreoshake @simov