daily-co / daily-js

https://docs.daily.co/reference/daily-js
BSD 2-Clause "Simplified" License
103 stars 33 forks source link

Issue embedding Daily-js in Chrome Extension Manifest v3 -- Refused to load the script 'https://c.daily.co/call-machine/versioned/0.70.0/static/call-machine-object-bundle.js' #254

Open abhagi opened 2 months ago

abhagi commented 2 months ago

Error Message

Refused to load the script 'https://c.daily.co/call-machine/versioned/0.70.0/static/call-machine-object-bundle.js' because it violates the following Content Security Policy directive

Additional Context

I am trying to embed a Daily.co audio/video/screenshare call within a Chrome Extension manifest version 3, using daily-js. I am using custom call object approach instead of Prebuilt UI approach, because i need to be able to customize app UI / functionality / layout management.

I initially tried DailyIframe.createCallObject(), which failed with an error message that this call requires 'unsafe-eval' and that is disallowed by the Content Security Policy within the extension.

I then followed the instructions on this Guide by the Daily-js team: https://docs.daily.co/guides/privacy-and-security/content-security-policy

The guide suggests avoiding unsafe-eval by creating the call object like this:

const call = Daily.createCallObject({
  dailyConfig: {
    avoidEval: true,
  },
});

However this still requires adding a script-src directive to the Content Security Policy, with the URL 'https://*.daily.co'. And it appears that providing any URL here other than 'self' is not allowed in Chrome Extensions manifest v3.

Attempting this produces the error message i have shared above.

How can I get daily-js to work within a chrome extension?

Is it possible, for example, to bundle all required resources (like 'call-machine-object-bundle.js') within the extension and avoid all dynamic loading completely?

Related Past Issues

https://github.com/daily-co/daily-js/issues/166 User @nalhusail asked a similar question back in 2021, but the issue was closed before a response or resolution was provided. I would imagine that three years later, either the Daily team or the community has discovered a workaround. Would love some help with this!

vr000m commented 2 months ago

@abhagi

according to the developer that made a proof of concept Manifest v3 extension, the workaround was to download the call-machine bundle.

{ "name": "daily-chrome-extension", "description": "Daily Chrome extension to connect to Daily meetings.", "version": "0.0.1", "manifest_version": 3, "minimum_chrome_version": "116", "background": { "service_worker": "serviceWorker.js" }, "permissions": ["scripting", "tabs", "activeTab", "tabCapture", "offscreen"], "host_permissions": [ "https://*/*", "http://localhost:*/*" ], "web_accessible_resources": [ { "resources": ["call-machine-object-bundle-v0.67.0.js"], "matches": [ "https://*/*", "http://localhost:*/*" ] } ], "action": { "default_title": "Daily extension", "default_popup": "popup.html", "default_icon": { "16": "/icons/16x.png", "32": "/icons/32x.png", "48": "/icons/48x.png", "128": "/icons/128x.png" } }, "icons": { "16": "/icons/16x.png", "32": "/icons/32x.png", "48": "/icons/48x.png", "128": "/icons/128x.png" } }