Extensions Blog Press Contribute Support FAQ Videos Changelog About Contact English Dark mode
Chrome extensions you can't live without!
Extensions Blog Press Contribute Support FAQ Videos About Contact

Content Security Policy

Hello,


First off, thanks for providing this great software!


I am currently evaluating whether or not we can allow use of this extension in our company, and I wanted to point out that CRXcavator (https://crxcavator.io/report/hkhggnncdpfibdhinjiegagmopldibha/27.4.5) is flagging the content-security-policy of this extension as a large source of risk for the extension overall. Running the CSP through https://csp-evaluator.withgoogle.com/ I see there are some decent recommendations that can tighten up the policy. The biggest problem is google maps, which has a JSONP endpoint which can be used to bypass the CSP (https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf).

Comments

  • If you have any specific solutions, I'll gladly look it at. From what I see there are only 2 urls: one for maps and one for analytics in the csp rules, the maps is used to autocomplete the location of an event. Note sure how to go around while not adding that to the csp.

  • The main recommendation is to use strict-dynamic policies with a random nonce for each script load, but to be honest I am not sure that is possible in a chrome extension. The most "to-the-point" resource I have found for CSP hardening is this somewhat recent post from Troy Hunt, https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

  • Oh I forgot to mention, if you paste the csp in the evaluator tool, it will show you some specific recommendations, here is the link again for convenience, https://csp-evaluator.withgoogle.com/

  • I use the nonce technique on my site because it can be generated on server side, but I don't think it's possible as hinted with extensions.

  • Hmmm ok. I think Duo's expectations for a CSP might be a bit extreme here. I wonder how they actually score CSPs

  • Thanks for looking at this! I think you can probably consider this 'closed', I don't know a concrete way to improve the CSP.

This website uses cookies to ensure you get the best experience on our website. More info
Got it!