starmoney020 / exif-vewer-extension

Automatically exported from code.google.com/p/exif-vewer-extension
0 stars 0 forks source link

Breaks sites with Content Security Policies eg. mega.co.nz #129

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Goto mega.co.nz
2. Site doesn't load
3. Error:
Refused to load the script 
'https://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js' because it 
violates the following Content Security Policy directive: "script-src 'self' 
'unsafe-eval' mega.co.nz data: blob:".

What is the expected output? What do you see instead?
Site loads

Please provide any additional information below.
Either disable the extension when encountering an incompatible CSP, add an 
option to blacklist extension on certain domains or just blacklist mega.co.nz.

I'm using Chrome Version 30.0.1599.0 dev and Exif Viewer 2.3.1

Original issue reported on code.google.com by asgerdre...@gmail.com on 14 Aug 2013 at 3:03

GoogleCodeExporter commented 8 years ago
Works in all other browsers

Original comment by FateF...@gmail.com on 18 Nov 2013 at 12:38

GoogleCodeExporter commented 8 years ago
Fixed. 

While Google prefers websites to remotely load their webfonts at the HTML/CSS 
level instead of embedding them locally, it's a security issue for scripts to 
do so and extensions should instead embed fonts where their licenses allow it.

The attachment here is the 2.1.0 trunk, edited to use embedded webfonts, with a 
minor correction to the manifest which ensures internal reference to the 16x16 
overlay / window icon file will work (it appeared as a broken image in the 
"title bar" and did not appear at all in the image's corner. 

webfont.js has been removed from the manifest's list of scripts and the 
scriptfile's code commented out, options.css has had a selector typo corrected 
(maring changed to margin), and a font folder added with Oswald and Quicksand 
(not sure Quicksand's even used, but webfont.js referenced it) and their OFL 
license file.

.svn directories were removed for simplicity's sake. Other files and folders 
were left as is.

Original comment by ydoomen...@gmail.com on 18 Nov 2013 at 6:43

Attachments:

GoogleCodeExporter commented 8 years ago
Thanks for the update. 

How we should make the update of the current version 2.3.1 in Chrome?
Are we able to make it manually or we should wait for the update in Chrome's 
Store?

Thanks

Original comment by ipelu...@gmail.com on 19 Nov 2013 at 1:32

GoogleCodeExporter commented 8 years ago
I forgot this was a Chrome Web Store extension. I'll contact Andry about this, 
because I'd also like to implement DOM Mutation Observers for sites with 
AJAX-loaded content (if 2.3.x doesn't already).

Original comment by ydoomen...@gmail.com on 19 Nov 2013 at 4:10

GoogleCodeExporter commented 8 years ago
I've sent Andry the changes and if he doesn't reply inside a week I'll post 
them here.

Original comment by ydoomen...@gmail.com on 19 Nov 2013 at 5:41

GoogleCodeExporter commented 8 years ago
Is there any update related to the issue?

Thanks in advance

Original comment by ipelu...@gmail.com on 30 Dec 2013 at 8:29