New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security policy problem inside a Chrome extension #135
Comments
If you load the same page in Firefox, it will provide more information about what the specific violation is (line number code snippet). The object-src 'self' seems unrelated? That's usually flash related/Java-related. |
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-security-policy" content="script-src 'self'" />
<script src="/jslib/hoganjs/template.js" type="text/javascript" charset="utf-8"></script>
<script src="/jslib/hoganjs/compiler.js" type="text/javascript" charset="utf-8"></script>
<script src="security-policy.js" type="text/javascript" charset="utf-8"></script>
</head>
<body>
</body>
</html>
var template = Hogan.compile('<p>{{hi}}</p>');
var output = template.render({hi: 'hello'});
console.log(output); If you comment out the |
We are using https://npmjs.org/package/helmet and it gives Error: call to Function() blocked by CSP https://developer.mozilla.org/en-US/docs/Web/Apps/CSP say we cannot use the Function() constructor. Can you check https://github.com/twitter/hogan.js/blob/master/web/1.0.0/hogan.js#L387 |
Just add 'unsafe-eval' to your policy. It is the only way it will work. unsafe-eval is not ideal, but it's much less risky than unsafe-inline. This is a common problem, especially with template languages. We're working w/ the w3c on ways to solve this. That being said, I'm sure there's a possible code fix. This is just a bandaid solution. |
Chrome Extensions Content Security Policy
Content Security Policy 1.1
I can alter the policy string inside my
manifest.json
but I shouldn't do that according to the chrome's documentation.
The text was updated successfully, but these errors were encountered: