XHR error with Deepl (error in CSP)

[ghost]

During my translation i have seen an error in the CSP who don't use connect-src (must be set to something like "connect-src 'https://'" the error code from chromium : Refused to connect to 'https://static.deepl.com/css/deepl.$88d774.css' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

[mlgualtieri]

Good catch. I haven't seen any issues from my general browsing for a week with the new Chrome functionality, but I'm sure there will be some glitches. Do you have the URL that triggers the error so I can test?

[ghost]

yep here https://www.deepl.com/translator or https://www.mike-gualtieri.com/css-exfil-vulnerability-tester it maybe the cause of the issue : https://github.com/mlgualtieri/CSS-Exfil-Protection/issues/31

[ghost]

maybe it can help, for the test i use vivaldi snapshot (chromium 85) and have enabled these flags for force enable the upcoming change in CSP of chrome : chrome://flags/#cors-for-content-scripts chrome://flags/#force-empty-CORB-and-CORS-allowlist

[ghost]

@mlgualtieri i have found where the problem stand, my patch : "content_security_policy": "default-src 'self'", you don't have implement it, and i forgot to check to add connect-src so with "content_security_policy": "default-src 'self'; connect-src https://*", the error disappear i will push that csp change with the translation (if you want to test the translated version before merging).