2

In light of this link , it would seem inline scripts such as are used for inserting a recaptcha object in the page, via 

<script type="text/javascript"
     src="http://www.google.com/recaptcha/api/challenge?k=your_public_key">
</script>
<noscript>
<iframe src="http://www.google.com/recaptcha/api/noscript?k=your_public_key"
     height="300" width="500" frameborder="0"></iframe><br>
<textarea name="recaptcha_challenge_field" rows="3" cols="40">
</textarea>
<input type="hidden" name="recaptcha_response_field"
     value="manual_challenge">
</noscript>

or via

 <script type="text/javascript" src="http://www.google.com/recaptcha/api/js/recaptcha_ajax.js"></script>

with

Recaptcha.create("your_public_key",
"element_id",
{
  theme: "red",
  callback: Recaptcha.focus_response_field
}

);

I always get some complaint about the content security policy, despite my manifest.json apparently allowing urls' like http://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Am I missing something really obvious that makes this whole question crazy?

Improve this question

3 Answers 3

Reset to default
4

I just spent two hours fighting with this. For me, and I think for this example as well, the problem lies in the src attribute; that is, in the http:. Changing the references as follows:

<script type="text/javascript" 
     src="https://www.google.com/recaptcha/api/challenge?k=your_public_key">
              ^  v
<iframe src="https://www.google.com/recaptcha/api/noscript?k=
     height="300" width="500" frameborder="0"></iframe>

fixed the problem. Basically, you're attempting to access the google api with an unsecure connection, and certain browsers (e.g., Chrome) don't render insecure content by default.

Improve this answer
1

In a Chrome extension, the non-secure http cannot be whitelisted via the CSP.
The documentation states:

Relaxing the default policy

(...) If, on the other hand, you have a need for some external JavaScript or object resources, you can relax the policy to a limited extent by whitelisting specific HTTPS origins from which scripts should be accepted. Whitelisting insecure HTTP resources will have no effect. This is intentional, because we want to ensure that executable resources loaded with an extension's elevated permissions is exactly the resource you expect, and hasn't been replaced by an active network attacker. As man-in-the-middle attacks are both trivial and undetectable over HTTP, only HTTPS origins will be accepted.

Improve this answer
4
  • I have this same problem. What can we do then?
    – Vigneshwaran
    Commented Jul 6, 2012 at 9:05
  • @Vigneshwaran What's your problem? Consider creating a new question with specific details if needed.
    – Rob W
    Commented Jul 6, 2012 at 9:09
  • My chrome extension uses Google Feed apis. Those apis call some other Javascripts over 'HTTP' so you know there's no solution for me. only HTTPS origins will be accepted I'm solving it by moving to different feed api provider.
    – Vigneshwaran
    Commented Jul 6, 2012 at 10:05
  • @Vigneshwaran "Call other JavaScript" -> Using XMLHttpRequest? If yes, then you can fix the issue by adding a valid match pattern to the manifest, e.g. "permissions": ["http://api.somedomain.com/*"].
    – Rob W
    Commented Jul 6, 2012 at 10:08
0

You should make all your resource calls protocol relative urls. Basically remove any http: or https: and just use //

More info here http://www.paulirish.com/2010/the-protocol-relative-url/

and here Is it valid to replace http:// with // in a <script src="http://...">?

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.