Closed alexstrat closed 6 years ago
Strange, I don't reproduce the gmelius bug. Use case should be cool for reproduce the bug. The code looks good after reading this
We have tried to inject CSP policies with meta[http-equiv="Content-Security-Policy"]
but we are fucked up because we can't add all type of keys and if the server return nonce
, we can't add neither.
The expected code that doesn't work https://github.com/getstation/electron-chrome-extension/compare/feature/csp?expand=1
(to test, you will need to build electron locally with python script/build.py
and run ../electron/out/D/Electron.app/Contents/MacOS/Electron example/main.js
)
We tried to replace GURL(sourceOrigin.c_str())
with blink::WebURL url((GURL(sourceOrigin)));
because the header file use the WebURL type. After long minutes of compilation et running it, the error still the same.
void WebFrame::AddOriginAccessWhitelistEntry(
const std::string& sourceOrigin,
const std::string& destinationProtocol,
const std::string& destinationHost,
bool allowDestinationSubdomains) {
blink::WebURL sourceOrigin((GURL(sourceOrigin)));
blink::WebSecurityPolicy::AddOriginAccessWhitelistEntry(
sourceOrigin,
blink::WebString::FromUTF8(destinationProtocol),
blink::WebString::FromUTF8(destinationHost),
allowDestinationSubdomains);
};
@hugomano I only had a time to do a static exploration. Here are few things I hope will help you:
I may have misguided you: the support for content_security_policy
manifest key may not be solved by adding the AddOriginAccessWhitelistEntry
.
Indeed, in Chromium code, tracing the handling of the content_security_policy
manifest key leads me to the use of the WebKit's WebFrame
's method SetIsolatedWorldContentSecurityPolicy
which is probably the one we need to use.
_Btw the lines that actually do the script injection in Chromium are worth looking closely_
At this point then, you need to rely on WebKit's "isolated world" to do script injection which is not the case today but is definitely the right thing to do to avoid problems. The good news is that I had started working on this and that it's feasible, the bad news is that it's not finished.
Therefore you might need to continue from there:
webFrame.executeJavaScriptInIsolatedWorld
(again, check the lines that actually do the script injection in Chromium)electron-chrome-extension
webFrame.setIsolatedWorldContentSecurityPolicy
and leverage it in electron-chrome-extension
That being said I'm not sure Gmelius's bug is directly linked to the non-support of content_security_policy
manifest key. Would you mind copy pasting the actual bug report in this thread?
Good luck
runContentScript
to setupContentScript
and addContentScript
url
to executeJavaScriptInIsolatedWorld
runAt
to executeJavaScriptInIsolatedWorld
already done by AlexScriptExecutionType
on Alex's PRSetIsolatedWorldSecurityOrigin
in electron
SetIsolatedWorldContentSecurityPolicy
in electron
fetch
method => fixed with SetIsolatedWorldSecurityOrigin
SetIsolatedWorldHumanReadableName
in electron
addOriginAccessWhitelistEntry
in electron-chrome-extension
using isolated world addContentScript
(previously runContentScript
) to electron
=> not for the momentI think you need to webFrame.setIsolatedWorldSecurityOrigin(0, 'chrome-extension://${cs.chromeStoreExtensionId}\')
in the background page
I don't have the stack-trace at the time of writing, but please complete with it. The issue seem to come from CSP problematics.
Gmelius use the
content_security_policy
key in its manifest: see here.I think this issue is linked: https://github.com/electron/electron/issues/10180
I realized that started working on this and let let hanging. I committed as it (don't remember if it worked) and push on this branch:
add-web-frame-add-origin-access-whitelist-entry
.This should be used on used in the
electron-chrome-extension
pacakage to support thecontent_security_policy
key.