vite-plugin-web-extension icon indicating copy to clipboard operation
vite-plugin-web-extension copied to clipboard
verified publisher icon samrum

CSP issue

Open DerStimmler opened this issue 1 year ago • 8 comments

Hi, I wanted to create a simple manifest v3 extension but get the following two errors when I open the default popup:

Refused to load the script 'https://localhost:5173/@vite/client' because it violates the following Content Security Policy directive: "script-src 'self' http://localhost:5173". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Refused to load the script 'https://localhost:5173/src/entries/popup/main.ts' because it violates the following Content Security Policy directive: "script-src 'self' http://localhost:5173". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

This happens in my extension but also when I create a new project with npm init @samrum/vite-plugin-web-extension@latest and leave everything as it is.

It hasn't worked on Chrome v129 and now after I updated to v130.0.6723.59 still the same problem.

DerStimmler avatar Oct 18 '24 22:10 DerStimmler

I am having the same issue. I have 700 users who are now unable to use their extension... don't we just love Chrome randomly updating things like this.

T0RNATO avatar Oct 21 '24 09:10 T0RNATO

+1

SleepyStew avatar Oct 22 '24 00:10 SleepyStew

@DerStimmler

For anyone encountering this issue, here's a super simple fix that works for me and T0RNATO:

In vite config

webExtension({
    manifest: getManifest(version),
+   useDynamicUrlWebAccessibleResources: false,
}),

SleepyStew avatar Oct 24 '24 21:10 SleepyStew

This helped, big thanks @SleepyStew !

MartinMalinda avatar Nov 05 '24 12:11 MartinMalinda

@SleepyStew

Awesome, thanks a lot!

DerStimmler avatar Nov 06 '24 11:11 DerStimmler

I'm wondering why we have to explicitly set it to false, as the README claims that should be the default.

https://github.com/samrum/vite-plugin-web-extension/blob/fd56ebb80fe424a968baf64e7ec739b64b6f14bd/README.md?plain=1#L165-L168

DerStimmler avatar Nov 06 '24 18:11 DerStimmler

@DerStimmler yeah it is strange isn't it. Searching through this repo I found quite a few (although old) files where it was documented to set useDynamicUrlWebAccessibleResources true by default.

SleepyStew avatar Nov 06 '24 20:11 SleepyStew

Yes, the type definition claims that the default is true:

https://github.com/samrum/vite-plugin-web-extension/blob/fd56ebb80fe424a968baf64e7ec739b64b6f14bd/types/index.d.ts#L33-L37

I'm not 100% sure, but I think the default is set here in line 17:

https://github.com/samrum/vite-plugin-web-extension/blob/fd56ebb80fe424a968baf64e7ec739b64b6f14bd/src/utils/getAdditionalInputAsWebAccessibleResource.ts#L3-L19

DerStimmler avatar Nov 07 '24 13:11 DerStimmler