admin管理员组

文章数量:1301537

I'm trying to write a Chrome extension that uses the MathJax library. I'm using a local copy of the MathJax code in my extension, which I load as a content script in manifest.json:

{
  "name": "mathjax-example",
  "version": "1.0",
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "resources": ["mathjax/*", "mathjax-config.js"],
      "matches": [  "/*" ]
    }
  ],
  "content_scripts": [
    {
      "js": ["content.js", "mathjax-config.js", "mathjax/es5/tex-mml-chtml.js"],
      "matches": [ "/*" ]
    }
  ],
  "content_security_policy": {
    "extension_pages": "default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; font-src 'self'; style-src 'self' 'unsafe-inline'; script-src-elem 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' ;"
  }
}

However, visiting the specified site gives me the following error in the console:

tex-mml-chtml.js:1 Refused to load the script 'https://../es5/input/asciimath.js' because it violates the following Content Security Policy directive:
"script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' http://localhost:* http://127.0.0.1:* chrome-extension://d9272ae4-ea80-492e-a847-191300b9c6fa/". 
Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

It looks like running tex-mml-chtml.js will add the following script element to the page, which then tries to run asciimath.js:

<script src="//../../es5/input/asciimath.js" charset="UTF-8"></script>

So either MathJax is written insecurely, or (more likely) I've configured something wrong. What I'm confused about is the error "'script-src-elem' was not explicitly set", since I have specified script-src-elem in my content_security_policy of manifest.json.

To reproduce this error, you can load this repository as an "Unpacked extension" on Chrome (my Chrome version is v132.0.6834.160 on Windows 10), visit the specified site and view the browser console.

I am very new to javascript so any insights would be greatly appreciated!

I'm trying to write a Chrome extension that uses the MathJax library. I'm using a local copy of the MathJax code in my extension, which I load as a content script in manifest.json:

{
  "name": "mathjax-example",
  "version": "1.0",
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "resources": ["mathjax/*", "mathjax-config.js"],
      "matches": [  "https://oeis./*" ]
    }
  ],
  "content_scripts": [
    {
      "js": ["content.js", "mathjax-config.js", "mathjax/es5/tex-mml-chtml.js"],
      "matches": [ "https://oeis./*" ]
    }
  ],
  "content_security_policy": {
    "extension_pages": "default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; font-src 'self'; style-src 'self' 'unsafe-inline'; script-src-elem 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' https://oeis.;"
  }
}

However, visiting the specified site gives me the following error in the console:

tex-mml-chtml.js:1 Refused to load the script 'https://../es5/input/asciimath.js' because it violates the following Content Security Policy directive:
"script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' http://localhost:* http://127.0.0.1:* chrome-extension://d9272ae4-ea80-492e-a847-191300b9c6fa/". 
Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

It looks like running tex-mml-chtml.js will add the following script element to the page, which then tries to run asciimath.js:

<script src="//../../es5/input/asciimath.js" charset="UTF-8"></script>

So either MathJax is written insecurely, or (more likely) I've configured something wrong. What I'm confused about is the error "'script-src-elem' was not explicitly set", since I have specified script-src-elem in my content_security_policy of manifest.json.

To reproduce this error, you can load this repository as an "Unpacked extension" on Chrome (my Chrome version is v132.0.6834.160 on Windows 10), visit the specified site and view the browser console.

I am very new to javascript so any insights would be greatly appreciated!

  • javascript
  • google-chrome-extension
  • content-security-policy
  • mathjax
  • script-src
Share asked Feb 11 at 5:17 Max DudekMax Dudek 11 bronze badge 1
  • Ideally you should fix mathjax to just use the shipped js scripts so it doesn't need to create new DOM script element. It may happen automatically if you explicitly load all scripts it may need (like asciimath.js) in content_scripts -> js. Note that content.js should be the last in the list. If done correctly there should be no need for web_accessible_resources or content_security_policy. – woxxom Commented Feb 11 at 11:55
Add a comment  | 

1 Answer 1

Reset to default 0

I might be wrong, but //../../es5/input/asciimath.js doesn't seem like it's specifying the intended path. This results in the full URL being https://../es5/input/asciimath.js, and (new URL('https://../es5/input/asciimath.js')).origin is 'https://..', which does not exist.

Secondly, content_security_policy does not apply to content scripts. From the Chrome docs:

The "extension pages" policy applies to page and worker contexts in the extension. This would include the extension popup, background worker, and tabs with HTML pages or iframes that were opened by the extension

You might want to try to include the asciimath.js file in the content_scripts field.

If this doesn't work, try checking out MathJax docs.

And I can see you opened an issue in the MathJax repo https://github/mathjax/MathJax/issues/3329.

本文标签:

版权声明:本文标题:javascript - Chrome extension local script violates CSP, manifest.json not recognizing &quot;script-src-elem&quot; - Sta 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741677417a2391964.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。