Refused to connect to [url] because it violates the following Content Security Policy directive

问题

I am the author of a Chrome extension that allows to translate status updates and comments right on Facebook: https://chrome.google.com/webstore/detail/facebook-translate/plofenifjagmdikfcobngnfmmnfmphin

For some days now, my users and me are getting an error in the error console that sais:

Refused to connect to 'https://api.microsofttranslator.com/V2/Http.svc/Translate?appId=&text=Chrome-Integration%3A+Google+bringt+Google+Now+auf+Desktop-PCs&to=en&contentType=text%2Fhtml' because it violates the following Content Security Policy directive: "connect-src https://.facebook.com http://.facebook.com https://.fbcdn.net http://.fbcdn.net *.facebook.net .spotilocal.com: https://.akamaihd.net ws://.facebook.com:* http://*.akamaihd.net".

In my chrome extension I did set the content security policy as follow:

"content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'"

The URIs in the error console, however, are FB URIs only so that's why I'm thinking Facebook did update their site to restrict access to remote URIs. I'm not certain if it could be a Chrome issue, so sorry if I started the topic on the wrong stackoverflow network. :)

Can anyone confirm (and maybe point me to a possible solution for) this issue? Thanks everyone!

回答1:

Extensions should bypass a page's Content Security Policy when executing XMLHTTPRequest from a content script. They currently aren't, which is a bug. I've filed https://bugs.webkit.org/show_bug.cgi?id=104480 to take a look at fixing it.

Are you executing XHR from your extension's content script, or are you executing it in the background page? The latter should work right now.

回答2:

The error message says your are trying to connect to 'https://api.microsofttranslator.com/ domain which is not specified in connect-src of CSP Directive

It seems you have listed

"connect-src 
            https://.facebook.com 
            http://.facebook.com 
            https://.fbcdn.net 
            http://.fbcdn.net *.facebook.net .spotilocal.com: 
            https://.akamaihd.net ws://.facebook.com:* 
            http://*.akamaihd.net".

the above domains for connect-src policy, add the new domain microsofttranslator.com if it is valid.

Let me know if you need more information.

来源：https://stackoverflow.com/questions/13786918/refused-to-connect-to-url-because-it-violates-the-following-content-security-p