Matt Kruse | 8 Dec 07:16 2012
Picon

[crx] SECURITY_ERR: DOM Exception 18 on ajax calls in Chrome 23 but not Chrome 24?

Many users of my Social Fixer extension are now seeing an error when the extension tries to make an ajax call back to my site for content:
SECURITY_ERR: DOM Exception 18

This happens when the extension tries to use XMLHttpRequest access the url:  http://socialfixer.com/config7.json
It does not happen for users on the dev channel, with Chrome 24.

The full error in the console is:
Refused to connect to 'https://socialfixer.com/config7.json?type=chrome&version=7.301&rand=1354945044921' because it violates the following Content Security Policy directive: "connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net".

My manifest.json does not have a content_security_policy rule, but it does have:
   "permissions": [
      "http://*.SocialFixer.com/*"
      ,"https://*.SocialFixer.com/*"
      ,"http://*.facebook.com/*"
      ,"https://*.facebook.com/*"
      ,"storage"
      ,"unlimitedStorage"
   ]

The policy being reported in the error console comes from the header that Facebook is sending:

X-WebKit-CSP: default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;


I've experimented with different values for content_security_policy in my manifest.json, but I can't make anything work.

So I'm looking for some answers to:
1) How do I over-ride the security policy that Facebook is setting via header?
2) What do I have to configure to allow loading of a remote file?
3) Can I even load a remote resource over http, or must it be https?
4) Why does it fail in Chrome 23, but not 24?

I'm a cross-browser extension developer, so I don't have in-depth knowledge about how Chrome works and handles security. I've read through the docs, but I'm not sure I understand all the issues. I appreciate any tips you may have. Thanks!

Matt Kruse

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/-/Ql6LYcD6vvoJ.
To post to this group, send email to chromium-extensions <at> chromium.org.
To unsubscribe from this group, send email to chromium-extensions+unsubscribe <at> chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.

Gmane