Refused to frame because it violates the following Content Security Policy directive

[benholtzmansmith]

I am using chrome-sidebar to load a website as an iframe. When I try to run the extension on gmail (https://mail.google.com/mail) - I get the following error:

mail.google.com/:1 Refused to frame '[my-website]' because it violates the following Content Security Policy directive: "frame-src 'self' https://clients4.google.com/insights/consumersurveys/ https://calendar.google.com/accounts/ https://ogs.google.com https://onegoogle-autopush.sandbox.google.com https://accounts.google.com/ https://apis.google.com/u/ https://apis.google.com/_/streamwidgets/ https://clients6.google.com/static/ https://content.googleapis.com/static/ https://mail-attachment.googleusercontent.com/ https://www.google.com/calendar/ https://calendar.google.com/calendar/ https://docs.google.com/ https://drive.google.com https://*.googleusercontent.com/docs/securesc/ https://feedback.googleusercontent.com/resources/ https://www.google.com/tools/feedback/ https://support.google.com/inapp/ https://*.googleusercontent.com/gadgets/ifr https://hangouts.google.com/ https://talkgadget.google.com/ https://*.talkgadget.google.com/ https://www-gm-opensocial.googleusercontent.com/gadgets/ https://plus.google.com/ https://wallet.google.com/gmail/ https://www.youtube.com/embed/ https://clients5.google.com/pagead/drt/dn/ https://clients5.google.com/ads/measurement/jn/ https://www.gstatic.com/mail/ww/ https://www.gstatic.com/mail/intl/ https://clients5.google.com/webstore/wall/ https://ci3.googleusercontent.com/ https://gsuite.google.com/u/ https://gsuite.google.com/marketplace/appfinder https://www.gstatic.com/mail/promo/ https://notifications.google.com/ https://tracedepot-pa.clients6.google.com/static/ https://mail-payments.google.com/mail/payments/ https://staging-taskassist-pa-googleapis.sandbox.google.com https://taskassist-pa.clients6.google.com https://appsassistant-pa.clients6.google.com https://*.client-channel.google.com/client-channel/client https://clients4.google.com/invalidation/lcs/client https://tasks.google.com/embed/ https://keep.google.com/companion https://contacts.google.com/widget/hovercard/v/2 https://*.googleusercontent.com/confidential-mail/attachments/".

it seems like this is caused by the restrictive Content Security Policy: https://bugs.chromium.org/p/chromium/issues/detail?id=408932

However, looking through the source code, it seems like this code modifies the proper "frame-src" permissions and loads the iframe in the same way specified here:https://stackoverflow.com/questions/24641592/injecting-iframe-into-page-with-restrictive-content-security-policy

any idea why this error is still occurring? it loads perfectly on every other website aside from https://mail.google.com/mail

[jiangts]

any ideas on this? I'm running into the same issue...

[jiangts]

So after further investigation, I think it's because this chrome extension doesn't modify CSP headers when the request is from a service worker.

Gmail's service workers make requests that include the CSP headers above. It appears that there's no convenient API for this, either (https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/j4amGInvP5E).

So, not sure if we're just stuck or if there's a better way to proceed.

[maulik-modi]

@dominicbarnes, any insights here?