Add a chrome extension manifest with content security policy v2 - Githubissues

cesine / todomvc-for-chrome-extensions

Chrome Extension Tested - MV* Todo apps for Backbone.js, JavaScriptMVC, Ember.js, Dojo, Spine.js, YUILibrary, Knockout.js and more

http://addyosmani.github.com/todomvc

Other

11 stars 1 forks source link

Add a chrome extension manifest with content security policy v2 #1

Closed cesine closed 12 years ago

cesine commented 12 years ago

http://code.google.com/p/chromium/issues/detail?id=107538

In fact, I am hard pressed to find a JS framework or library that satisfies your requirements. I chose some random libs and all of them use eval and/or new Function, so you might as well black list these on your Chrome Extension page so developers know:

Sencha ExtJS Dojo Toolkit qooxdoo SproutCore mustache.js jrender.js ejs.js haml.js jade.js jQuery Template jquery-jtemplates.js jquery.jqote2.js jquery.views.js baba.js underscore.js midori.js processing.js jsrender.js ... .. .

cesine commented 12 years ago

Refused to load the image 'http://gravatar.com/avatar/70ee60f32937b52758869488d5753259?s=40' because it violates the following Content Security Policy directive: "default-src 'self' ".

fixed with

"content_security_policy" : "default-src 'self'; img-src 'self' http://gravatar.com;"

cesine commented 12 years ago

There are In-line scripts errors for twitter widgets and google analytics errors on the main page... but I'll ignore them for now since its the apps that are the main goal.

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". index.html:109 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". index.html:276 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". index.html:277 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". index.html:278

cesine commented 12 years ago

Since only 3 out of 14 frameworks worked out of the box with a default content security policy i decided to add script-src 'unsafe-eval'; object-src 'unsafe-eval';

8 out of 14 of the examples needed eval, so by adding this line to the manifest we are now up to 11 ToDoMVC apps which work for chrome extensions.

cesine commented 12 years ago

{
  "name": "ToDoMVC - In Chrome Extensions",
  "version": "1.1",
  "description": "Helping you select an MV* framework for Chrome Extensions - Todo apps for Backbone.js, Ember.js, AngularJS, Spine and many more",

  "app": {
    "launch": {
      "local_path": "index.html"
    }
  },
  "offline_enabled": true,
  "permissions": [
    "unlimitedStorage"
  ],
   "icons": { 
  },
   "manifest_version" : 2,
  "content_security_policy" : "default-src 'self'; img-src 'self' http://gravatar.com; script-src 'unsafe-eval';  object-src 'unsafe-eval';"
}