Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP issue #146

Open
DerStimmler opened this issue Oct 18, 2024 · 8 comments
Open

CSP issue #146

DerStimmler opened this issue Oct 18, 2024 · 8 comments

Comments

@DerStimmler
Copy link

Hi, I wanted to create a simple manifest v3 extension but get the following two errors when I open the default popup:

Refused to load the script 'https://localhost:5173/@vite/client' because it violates the following Content Security Policy directive: "script-src 'self' http://localhost:5173". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Refused to load the script 'https://localhost:5173/src/entries/popup/main.ts' because it violates the following Content Security Policy directive: "script-src 'self' http://localhost:5173". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

This happens in my extension but also when I create a new project with npm init @samrum/vite-plugin-web-extension@latest and leave everything as it is.

It hasn't worked on Chrome v129 and now after I updated to v130.0.6723.59 still the same problem.
@T0RNATO
Copy link

T0RNATO commented Oct 21, 2024

I am having the same issue. I have 700 users who are now unable to use their extension... don't we just love Chrome randomly updating things like this.

@SleepyStew
Copy link

+1

@SleepyStew
Copy link

@DerStimmler

For anyone encountering this issue, here's a super simple fix that works for me and T0RNATO:

In vite config

webExtension({
    manifest: getManifest(version),
+   useDynamicUrlWebAccessibleResources: false,
}),

@SleepyStew SleepyStew mentioned this issue Oct 24, 2024
Open
@MartinMalinda
Copy link

This helped, big thanks @SleepyStew !

@DerStimmler
Copy link
Author

@SleepyStew

Awesome, thanks a lot!

@DerStimmler
Copy link
Author

I'm wondering why we have to explicitly set it to false, as the README claims that should be the default.

vite-plugin-web-extension/README.md

Lines 165 to 168 in fd56ebb

useDynamicUrlWebAccessibleResources (optional)
- Type: `boolean`
- Default: `false`

@SleepyStew
Copy link

@DerStimmler yeah it is strange isn't it. Searching through this repo I found quite a few (although old) files where it was documented to set useDynamicUrlWebAccessibleResources true by default.

@DerStimmler
Copy link
Author

Yes, the type definition claims that the default is true:

vite-plugin-web-extension/types/index.d.ts

Lines 33 to 37 in fd56ebb

/**
* Sets the use_dynamic_url property on web accessible resources generated by the plugin
* Default: true
*/
useDynamicUrlWebAccessibleResources?: boolean;

I'm not 100% sure, but I think the default is set here in line 17:

vite-plugin-web-extension/src/utils/getAdditionalInputAsWebAccessibleResource.ts

Lines 3 to 19 in fd56ebb

export default function getAdditionalInputAsWebAccessibleResource(
input: NormalizedAdditionalInput
): {
matches: string[] | undefined;
extension_ids: string[] | undefined;
use_dynamic_url?: boolean;
} | null {
if (!input.webAccessible) {
return null;
}
return {
matches: input.webAccessible.matches,
extension_ids: input.webAccessible.extensionIds,
use_dynamic_url: true,
};
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MartinMalinda @DerStimmler @T0RNATO @SleepyStew