Whitelist multiple domains in content security policy

google-chrome-extension content-security-policy
Chris Sobolewski picture Chris Sobolewski · Jul 22, 2013 · Viewed 20.1k times · Source

I am writting a chrome extension that needs to have two domains in its whitelist for the content security policy. I've looked at the official docs, but I still can't seem to figure out the proper syntax.

The following does not seem to work: 

"content_security_policy": "script-src 'self' https://foo.com https://example.com; object-src 'self'"

EDIT:

Both my content script and my popup are able to reach foo.com, however, neither can reach example.com.

Are chrome extensions capable of having multiple sources whitelisted in the CSP?

Answer

apsillers picture apsillers · Jul 22, 2013

From what I know about CSPs, this looks syntactically correct. The HTML5 Rocks article on CSP agrees with your syntax, saying:

script-src https://host1.com https://host2.com would correctly specify both origins as valid.

However, your problem may be that either:

  1. This CSP disallows all subdomains, including www.foo.com and www.example.com. You can add those subdomain hostnames explicitly, or you can use https://*.foo.com to allow all subdomains.

  2. If any of your script requests redirect to a non-permitted domain, the request will fail. For example, if https://example.com/foo.js responds with a 301 or 302 redirect to https://notpermitted.com/foo.js (not-permitted origin) or https://www.example.com/foo.js (non-permitted subdomain), the request will fail according to the spec:

    Whenever the user agent fetches a URI (including when following redirects)... if the URI does not match the allowed script sources, the user agent must act as if it had received an empty HTTP 400 response...

EDIT:

Just to confirm, yes, Chrome extensions can whitelist multiple HTTPS origins. You can build a simple extension to test this:

manifest.json

{
    "name":"CSP Test",
    "version":"1.0",
    "manifest_version":2,
    "browser_action":{
        "default_popup":"csp_test.html"
    },
    "content_security_policy": "script-src 'self' https://www.iana.org https://ajax.googleapis.com; object-src 'self'"
}

csp_test.html

<script src="https://www.iana.org/_js/2013.1/jquery.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
<script src="csp_test.js"></script>

csp_test.js

alert(jQuery)
alert(jQuery.ui)

This extension loads jQuery and jQuery UI from remote domains. If you remove either origin from the CSP, you will see an "undefined" alert signifying that one of the libraries failed to load.

Related questions

Refused to apply inline style because it violates the following Content Security Policy directive

So, in about 1 hour my extensions failed hard. I was doing my extension and it was doing what I pretended. I made some changes, and as I didnt liked I deleted them, and now my extension is throwing error: Refused …

Read More
Chrome version 18+: How to allow inline scripting with a Content Security Policy?

Chrome 18 Dev/Canary has just been released, and content_security_policy will be needed in the manifest for certain extensions. I'm trying to get a CSP working for inline scripting, but I don't know if I'm doing something wrong or …

Read More
Extension refuses to load the script due to Content Security Policy directive

Following is my code of HTML Scripts: <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script> <script src="background.js"></script> HTML: <button name="btnlogin" id="btnlogin"&…

Read More