Matt Kruse | 8 Dec 07:16 2012

[crx] SECURITY_ERR: DOM Exception 18 on ajax calls in Chrome 23 but not Chrome 24?

Many users of my Social Fixer extension are now seeing an error when the extension tries to make an ajax call back to my site for content:
SECURITY_ERR: DOM Exception 18

This happens when the extension tries to use XMLHttpRequest access the url:
It does not happen for users on the dev channel, with Chrome 24.

The full error in the console is:
Refused to connect to '' because it violates the following Content Security Policy directive: "connect-src https://* http://* https://* http://* * ** https://* ws://** http://*".

My manifest.json does not have a content_security_policy rule, but it does have:
   "permissions": [

The policy being reported in the error console comes from the header that Facebook is sending:

X-WebKit-CSP: default-src *;script-src https://* http://* https://* http://* * * * ** ** chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 'unsafe-inline' 'unsafe-eval' https://* http://*;style-src * 'unsafe-inline';connect-src https://* http://* https://* http://* * ** https://* ws://** http://*;

I've experimented with different values for content_security_policy in my manifest.json, but I can't make anything work.

So I'm looking for some answers to:
1) How do I over-ride the security policy that Facebook is setting via header?
2) What do I have to configure to allow loading of a remote file?
3) Can I even load a remote resource over http, or must it be https?
4) Why does it fail in Chrome 23, but not 24?

I'm a cross-browser extension developer, so I don't have in-depth knowledge about how Chrome works and handles security. I've read through the docs, but I'm not sure I understand all the issues. I appreciate any tips you may have. Thanks!

Matt Kruse

You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To view this discussion on the web visit
To post to this group, send email to chromium-extensions <at>
To unsubscribe from this group, send email to chromium-extensions+unsubscribe <at>
For more options, visit this group at