No, this is not possible to relax this policy. unsafe-inline is specifically ignored by Chrome Extensions since manifest version 2. Documentation (emphasis mine): There is no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes ‘unsafe-inline’ will have no effect. The error message mentions several possible ways, … Read more
I know this question is a year old, but it’s still one of the first things to come up when searching for this problem, and as yet doesn’t have the correct answer. I understand. I’m one of those people who likes to see a pristine console in production, so stuff like this drives me nuts, … Read more
The spec compliant answer is object-src ‘self’ blob: blob: should only match blob: explicitly, and not ‘self’ or *. This is a bug in Chrome, and was recently fixed in Firefox 40.
The inability to insert an external iframe in Chrome is a bug (crbug.com/408932). If you want to embed an external frame in an external website, then it must be loaded in a frame that is packaged with your extension. manifest.json { “name”: “Embed external site”, “version”: “1”, “manifest_version”: 2, “content_scripts”: [{ “js”: [“contentscript.js”], “matches”: [“*://*/*”], … Read more
Allowing inline styles makes you susceptible to a the “other XSS”. Cross Site Styling attacks. The idea here is that any places where a user can inject a style attribute into your document they can modify the appearance of your page any way they want. I’ll list a couple potential attacks ordered by increasing severity: … Read more
Actually thanks to @heyimalex I found a very easy answer for my problem. Just run the build script like this: INLINE_RUNTIME_CHUNK=false npm run build Afterwards, it should be CSP-compatible.
Try replacing this part: img-src * ‘self’ data: https:; So the complete tag: <meta http-equiv=”Content-Security-Policy” content=”default-src *; img-src * ‘self’ data: https:; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ *; style-src ‘self’ ‘unsafe-inline’ *”> Content Security Policy Reference
After reading some docs at http://content-security-policy.com/ and https://github.com/rwjblue/ember-cli-content-security-policy, I added some policies to my config/environment.js file like so: module.exports = function(environment) { var ENV = { contentSecurityPolicy: { ‘default-src’: “‘none'”, ‘script-src’: “‘self’ ‘unsafe-inline’ ‘unsafe-eval’ use.typekit.net connect.facebook.net maps.googleapis.com maps.gstatic.com”, ‘font-src’: “‘self’ data: use.typekit.net”, ‘connect-src’: “‘self'”, ‘img-src’: “‘self’ www.facebook.com p.typekit.net”, ‘style-src’: “‘self’ ‘unsafe-inline’ use.typekit.net”, ‘frame-src’: “s-static.ak.facebook.com static.ak.facebook.com … Read more
For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough: default-src * data: blob: filesystem: about: ws: wss: ‘unsafe-inline’ ‘unsafe-eval’ ‘unsafe-dynamic’; script-src * data: blob: ‘unsafe-inline’ ‘unsafe-eval’; connect-src * data: blob: ‘unsafe-inline’; … Read more
The frame-src CSP directive (which is deprecated and replaced by child-src) determines what sources can be used in a frame on a page. The X-Frame-Options response header, on the other hand, determines what other pages can use that page in an iframe. In your case, http://a.com with X-Frame-Options: DENY indicates that no other page can … Read more