I am developing an MV3 chrome extension that uses a sqlite3 database but I am getting an error "
'content_security_policy.extension_pages': Insecure CSP value "'unsafe-eval'" in directive 'script-src'.
Could not load manifest." when I try and add it to my chrome browser.
My manifest.json is as follows:
{
"manifest_version": 3,
"name": "Some name",
"version": "1.0",
"description": "Some description",
"icons": {
"16": "icons/icon1.png",
"32": "icons/icon2.png",
"48": "icons/icon3.png",
"128": "icons/icon4.png"
},
"action": {
"default_popup": "search.html",
"default_icon": "icons/icon4.png"
},
"background": {
"service_worker": "background.js"
},
"web_accessible_resources": [
{
"matches": ["<all_urls>"],
"resources": ["sqlite3.wasm"]
}
],
"content_security_policy": {
"extension_pages": "script-src 'self' 'unsafe-eval'; object-src 'self'; worker-src blob: 'self';"
},
"host_permissions": [
"activeTab",
"storage"
]
}
Note: sqlite3.wasm exists at in the same dir as the manifest file.
Any advice appreciated!
The issue seems to be specific to MV3.
Related
So, here is my manifest.json file:
{
"name": "",
"description": "",
"version": "0.0.1",
"manifest_version": 3,
"permissions": ["activeTab"],
"content_scripts": [
{
"svelte": [
"App.svelte"
],
"css": [
"App.css"
],
"matches": [
"http://*/*", "https://*/*", "file:///*/*"
]
}
]
}
However, it can't seem to load the css file. I already tried specification and adding !important to everything, however it doesn't want to load it.
Why ?
I am using Ocelot gateway and for swagger document using "MMLib.SwaggerForOcelot" library.
For some swagger Key, swagger UI is showing "No operations defined in spec!" and swagger JSON is coming without paths like
{
"openapi": "3.0.1",
"info": {
"title": "Admin API",
"version": "v1"
},
"paths": {},
"components": {
"schemas": {}
}
}
Ocelot Configuration Route is
{
"DownstreamPathTemplate": "/api/admin/v{version}/{everything} ",
"DownstreamScheme": "http",
"DownstreamHostAndPorts": [
{
"Host": "localhost",
"Port": 5000
}
],
"UpstreamPathTemplate": "/api/admin/v{version}/{everything}",
"UpstreamHttpMethod": [],
"QoSOptions": {
"ExceptionsAllowedBeforeBreaking": 3,
"DurationOfBreak": 1000,
"TimeoutValue": 900000
},
"SwaggerKey": "AdminAPI"
}
and Swagger Configuration is
"SwaggerEndPoints": [
{
"Key": "AdminAPI",
"Config": [
{
"Name": "Admin API",
"Version": "v1",
"Url": "http://localhost:5000/swagger/v1/swagger.json"
}
]
}
]
after reviewing the MMLib.SwaggerForOcelot source code, it looks like something to do with the version in the downstream path, any clue on how this can be fixed?
The issue is that MMLib.SwaggerForOcelot is not considering {version} while doing Ocelot transformation.
RouteOptions has a property TransformByOcelotConfig which is set to true by default, so once swagger JSON is obtained from downstream, the transformation will be done.
here, it will try to find the route from the route configuration like below and if not found it will delete the route from swagger JSON
private static RouteOptions FindRoute(IEnumerable<RouteOptions> routes, string downstreamPath, string basePath)
{
string downstreamPathWithBasePath = PathHelper.BuildPath(basePath, downstreamPath);
return routes.FirstOrDefault(p
=> p.CanCatchAll
? downstreamPathWithBasePath.StartsWith(p.DownstreamPathWithSlash, StringComparison.CurrentCultureIgnoreCase)
: p.DownstreamPathWithSlash.Equals(downstreamPathWithBasePath, StringComparison.CurrentCultureIgnoreCase));
}
The problem is StartsWith will return false since swagger JSON path will be like
/api/admin/v{version}/Connections
and route config is like
/api/admin/v{version}/{everything}
and version will replace with the version given in swagger options so that it will become
/api/admin/v1/{everything}
Fix to this problem will be
Either set "TransformByOcelotConfig":false in swagger option
"SwaggerEndPoints": [
{
"Key": "AdminAPI",
"TransformByOcelotConfig":false,
"Config": [
{
"Name": "Admin API",
"Version": "v1",
"Url": "http://localhost:5000/swagger/v1/swagger.json"
}
]
}
]
Or Change the route, just to have {everything} keyword
{
"DownstreamPathTemplate": "/api/admin/{everything} ",
"DownstreamScheme": "http",
"DownstreamHostAndPorts": [
{
"Host": "localhost",
"Port": 5000
}
],
"UpstreamPathTemplate": "/api/admin/{everything}",
"UpstreamHttpMethod": [],
"QoSOptions": {
"ExceptionsAllowedBeforeBreaking": 3,
"DurationOfBreak": 1000,
"TimeoutValue": 900000
},
"SwaggerKey": "AdminAPI"
}
I have seen similar questions but nothing that answers this exactly. So I have an application being hosted by Firebase. I recently ran some penetration tests on it and realized I need to add some security headers to the website.
Specifically: X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options. The problem is I really do not know how to do that. Having given it a bit of research I can see that the way to add headers to my firebase application is to add them to my firebase.json file which I will show here:
{
"hosting": {
"site": "xxxxxxxxxxxxxxxxx",
"public": "dist/xxxxxxxxxxxx",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"headers" : [ {
"source": "**",
"headers" : [{
"key" : "Access-Control-Allow-Origin",
"value" : "*"
}]
}],
"rewrites": [
{
"source": "**",
"destination": "/index.html"
}
]
}
}
Do I need to add them to the "headers" section of that?
Sorry for the ignorance but any help is appreciated.
Almost complete Firebase Security Headers
Just create your Content-Security-Policy, i´ve used report-uri.com
"headers": [
{
"source": "**",
"headers": [
{
"key": "Content-Security-Policy",
"value": "default-src 'none'; script-src 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' https://www.google.com https://www.google.ad https://www.google.ae https://www.google.com.af https://www.google.com.ag https://www.google.com.ai https://www.google.al https://www.google.am https://www.google.co.ao https://www.google.com.ar https://www.google.as https://www.google.at https://www.google.com.au https://www.google.az https://www.google.ba https://www.google.com.bd https://www.google.be https://www.google.bf https://www.google.bg https://www.google.com.bh https://www.google.bi https://www.google.bj https://www.google.com.bn https://www.google.com.bo https://www.google.com.br https://www.google.bs https://www.google.bt https://www.google.co.bw https://www.google.by https://www.google.com.bz https://www.google.ca https://www.google.cd https://www.google.cf https://www.google.cg https://www.google.ch https://www.google.ci https://www.google.co.ck https://www.google.cl https://www.google.cm https://www.google.cn https://www.google.com.co https://www.google.co.cr https://www.google.com.cu https://www.google.cv https://www.google.com.cy https://www.google.cz https://www.google.de https://www.google.dj https://www.google.dk https://www.google.dm https://www.google.com.do https://www.google.dz https://www.google.com.ec https://www.google.ee https://www.google.com.eg https://www.google.es https://www.google.com.et https://www.google.fi https://www.google.com.fj https://www.google.fm https://www.google.fr https://www.google.ga https://www.google.ge https://www.google.gg https://www.google.com.gh https://www.google.com.gi https://www.google.gl https://www.google.gm https://www.google.gr https://www.google.com.gt https://www.google.gy https://www.google.com.hk https://www.google.hn https://www.google.hr https://www.google.ht https://www.google.hu https://www.google.co.id https://www.google.ie https://www.google.co.il https://www.google.im https://www.google.co.in https://www.google.iq https://www.google.is https://www.google.it https://www.google.je https://www.google.com.jm https://www.google.jo https://www.google.co.jp https://www.google.co.ke https://www.google.com.kh https://www.google.ki https://www.google.kg https://www.google.co.kr https://www.google.com.kw https://www.google.kz https://www.google.la https://www.google.com.lb https://www.google.li https://www.google.lk https://www.google.co.ls https://www.google.lt https://www.google.lu https://www.google.lv https://www.google.com.ly https://www.google.co.ma https://www.google.md https://www.google.me https://www.google.mg https://www.google.mk https://www.google.ml https://www.google.com.mm https://www.google.mn https://www.google.ms https://www.google.com.mt https://www.google.mu https://www.google.mv https://www.google.mw https://www.google.com.mx https://www.google.com.my https://www.google.co.mz https://www.google.com.na https://www.google.com.ng https://www.google.com.ni https://www.google.ne https://www.google.nl https://www.google.no https://www.google.com.np https://www.google.nr https://www.google.nu https://www.google.co.nz https://www.google.com.om https://www.google.com.pa https://www.google.com.pe https://www.google.com.pg https://www.google.com.ph https://www.google.com.pk https://www.google.pl https://www.google.pn https://www.google.com.pr https://www.google.ps https://www.google.pt https://www.google.com.py https://www.google.com.qa https://www.google.ro https://www.google.ru https://www.google.rw https://www.google.com.sa https://www.google.com.sb https://www.google.sc https://www.google.se https://www.google.com.sg https://www.google.sh https://www.google.si https://www.google.sk https://www.google.com.sl https://www.google.sn https://www.google.so https://www.google.sm https://www.google.sr https://www.google.st https://www.google.com.sv https://www.google.td https://www.google.tg https://www.google.co.th https://www.google.com.tj https://www.google.tl https://www.google.tm https://www.google.tn https://www.google.to https://www.google.com.tr https://www.google.tt https://www.google.com.tw https://www.google.co.tz https://www.google.com.ua https://www.google.co.ug https://www.google.co.uk https://www.google.com.uy https://www.google.co.uz https://www.google.com.vc https://www.google.co.ve https://www.google.vg https://www.google.co.vi https://www.google.com.vn https://www.google.vu https://www.google.ws https://www.google.rs https://www.google.co.za https://www.google.co.zm https://www.google.co.zw https://www.google.cat https://www.gstatic.com/images/ https://www.googletagmanager.com/; manifest-src 'self'; media-src 'self'; report-uri https://YOURKEY.report-uri.com/r/d/csp/reportOnly; report-to https://YOURKEY.report-uri.com/b/g/h; worker-src 'self'; form-action 'self'; frame-ancestors 'self';"
},
{
"key": "Cache-Control",
"value": "public, max-age=31536000"
},
{ "key": "X-Content-Type-Options", "value": "nosniff" },
{
"key": "X-Frame-Options",
"value": "DENY"
},
{ "key": "X-XSS-Protection", "value": "1; mode=block" },
{ "key": "Referrer-Policy", "value": "no-referrer" },
{ "key": "Feature-Policy", "value": "microphone 'self'" },
{
"key": "Expect-CT",
"value": "max-age=86400, report-uri='https://YOURKEY.report-uri.com/b/g/h'"
},
{
"key": "Report-To",
"value": "'group':'default', 'max_age':31536000, 'endpoints':[{'url':'https://YOURKEY.report-uri.com/b/g/h'}],'include_subdomains':true'"
}
]
"headers" : [ {
"source": "**",
"headers" : [
{ "key" : "Access-Control-Allow-Origin", "value" : "*" },
{ "key" : "X-Frame-Options", "value" : "deny" },
{ "key" : "X-Content-Type-Options", "value" : "nosniff" },
{ "key" : "X-XSS-Protection", "value" : "1; mode=block" }
]
}],
This seemed to work perfectly well.
I deploy a static site on firebase hosting with some header configuarations.
But I some of my headers doesn't appear after the site deployed.
I tried change the value of Cache-Control header and it works.
But X-Frame-Options,Content-Security-Policy,X-Content-Type-Options doesn't.
firebase.json:
{
"hosting": {
"public": "public",
"ignore": ["firebase.json", "**/.*", "**/node_modules/**"],
"headers": [
{
"source": "**/*.#(html)",
"headers": [
{
"key": "Cache-Control",
"value": "max-age=3600"
},
{
"key": "X-Frame-Options",
"value": "SAMEORIGIN"
},
{
"key": "Content-Security-Policy",
"value":
"script-src 'self' 'unsafe-inline' cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com"
}
]
},
{
"source": "**/*.#(jpg|jpeg|gif|png|ico|svg)",
"headers": [
{
"key": "Cache-Control",
"value": "max-age=2592000"
}
]
},
{
"source": "**/*.#(js|css)",
"headers": [
{
"key": "Cache-Control",
"value": "max-age=2592000"
}
]
},
{
"source": "**/*",
"headers": [
{
"key": "X-Content-Type-Options",
"value": "nosniff"
}
]
}
]
}
}
Actual response header I get:
After deploy, make sure to clear your browser's cache or use incognito mode. That's what happened to me, my custom headers were not showing because Chrome cached previously deployed version
am trying to link a chrome extension to firebase cloud messaging, but am getting
Unrecognized manifest key 'gcm_sender_id' error when i load the extension
image of the error,
here is my manifest file:
{
"manifest_version": 2,
"name": "iQU",
"description": "iQU",
"version": "1.0",
"browser_action": {
"default_icon": "icon.png",
"default_popup": "index.html"
},
"permissions": [],
"content_security_policy": "script-src 'self' 'unsafe-eval' https://cdn.firebase.com https://*.firebaseio.com https://*.firebaseio.com; object-src 'self'; ",
"web_accessible_resources": [
"assets/css/*",
"assets/js/*",
"assets/fonts/*"
],
"gcm_sender_id": "103953800507"
}
any help please?