Blocked: `import` path in a content script when `use_dynamic_url` is true [363027634]

Fixed

Bug

Needs-Triage-M130

Chromium-Regression

Needs-Bisect

Status Update

No update yet.

Description

so...@chromium.org

created issue #1

Aug 29, 2024 11:50PM

Chrome Version: 130

Note: Chrome is not responsible for bugs or behavior of individual extensions.

What steps will reproduce the problem?

Install the extension [1].
Load example.com

What is the expected result? console log of hi and no errors on the extension page.

What happens instead? Refused to load the script 'chrome-extension://55527063-6744-4b45-8d2a-750437163a97/war.js' because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' http://localhost:* http://127.0.0.1:*". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

[1] manifest.json

{
  "name": "3_csp",
  "version": "0.0.1",
  "manifest_version": 3,
  "description": "Test import with a web accessible resource & use_dynamic_url",
  "web_accessible_resources": [
    {
      "resources": ["war.js"],
      "matches": ["<all_urls>"],
      "use_dynamic_url": true
    }
  ],
  "content_scripts": [
    {
      "matches": [ "https://*.example.com/*" ],
      "js": [ "content_script.js" ]
    }
  ]
}

content_script.js

import(chrome.runtime.getURL("./war.js"));

war.js

console.log("hi");

Comments

so...@chromium.org <so...@chromium.org> #2Aug 30, 2024 02:05AM

Assigned to ol...@chromium.org.

The first step could be to document the current behavior on developer.chromium.com. If anyone has time after that, perhaps a decision can be made on if this behavior should be changed.

ke...@tango.us <ke...@tango.us> #3Sep 16, 2024 03:00PM

We also have the same issue with our Chrome Extension, Tango.

This will likely break a lot of extensions, since use_dynamic_url: true is the default behavior of the package vite-plugin-webextension; all extensions that use that and a content script will break. I've confirmed that setting use_dynamic_url: false fixes the issue.

ol...@chromium.org <ol...@chromium.org> #4Sep 19, 2024 09:26AM

Reassigned to rd...@chromium.org.

RE comment#3: Thanks for the heads up about this, and sorry about the trouble. We're looking into addressing this, but at the moment think it still makes sense to launch the feature. We'll try to fix it as soon as possible but it might not be before Chrome 130 goes to stable.

I've reached out to the plugin author here to see if they can update the default or provide some additional guidance in the meantime: https://github.com/samrum/vite-plugin-web-extension/issues/144

wo...@gmail.com <wo...@gmail.com> #5Sep 20, 2024 08:24AM

Note that the code uses an absolute path for import, not relative, because chrome.runtime.getURL transforms the string into an absolute path, so the title of the bug is incorrect.

so...@chromium.org <so...@chromium.org> #6Sep 20, 2024 03:25PM

Perhaps your comment in crbug.com/324975819#comment8 shows a better import line?

wo...@gmail.com <wo...@gmail.com> #7Sep 20, 2024 07:03PM

AFAICT, no, this bug doesn't depend on the path being relative, i.e. my point was that this word should be removed from the title. That comment you've linked shows a different example: using a relative path to load a second module file from the first module file loaded from the content script.

so...@foyer.work <so...@foyer.work> #8Oct 17, 2024 07:42AM

Can this be prioritised? The Chrome Web Store review cycle taking arbitrary time will definitely affect a lot of extensions (and ours in particular). Especially extensions that haven't been updated in a long time due to maintainer being inactive or any other reason.

Message last modified on Oct 17, 2024 07:45AM

th...@gmail.com <th...@gmail.com> #9Oct 17, 2024 09:45AM

This also affects creating dynamic script elements which are added to the page from content script:

https://issues.chromium.org/issues/374013409

const element = document.createElement( 'script' );
element.src = chrome.runtime.getURL( 'script.js' );
document.head.appendChild( element );

Sounsd to me like the dynamic url should be part of the content security policy.

sa...@skenderovic.se <sa...@skenderovic.se> #10Oct 17, 2024 11:54AM

This broke our extension in production as well. We were quick to patch it but there are many others that use bundlers like crxjs which are affected:

https://github.com/crxjs/chrome-extension-tools/issues/918

sd...@gmail.com <sd...@gmail.com> #11Oct 20, 2024 03:55PM

Has anyone found a definitive solution for CSP violation with chrome.runtime.getURL?

Hi everyone,

I've followed the recommendations in this thread to resolve the CSP violation when loading scripts using chrome.runtime.getURL, but I'm still encountering the same error. My extension was functioning correctly before, but the issue appeared after recent updates.

Error: Refused to load the script 'chrome-extension://139dd5ff-aafb-41b1-b61f-c524f015f41a/assets/main.tsx-d78cb075.js' because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' http://localhost:* http://127.0.0.1:*". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Here's the relevant code block:

(function () {
  'use strict';
  const injectTime = performance.now();
  (async () => {
    const { onExecute } = await import(
      /* @vite-ignore */
      chrome.runtime.getURL("assets/main.tsx-d78cb075.js")
    );
    onExecute?.({ perf: { injectTime, loadTime: performance.now() - injectTime } });
  })().catch(console.error);
})();

I've reviewed the following related issues:

https://github.com/crxjs/chrome-extension-tools/issues/927
https://github.com/samrum/vite-plugin-web-extension/issues/144
Despite following these recommendations, the issue persists. It seems related to recent CSP changes or updates.

Additional Information:

@crxjs/vite-plugin: ^2.0.0-beta.14
Development environment: Vite, CRXJS
Any guidance or insights on adjusting the CSP configuration or addressing recent changes would be greatly appreciated.

Thanks!

ja...@gmail.com <ja...@gmail.com> #12Oct 20, 2024 11:12PM

Hi, I'm the CRXJS maintainer, and I just wanted to voice my support for including dynamic URLs in the CSP when use_dynamic_url is true. The current implementation breaks import() in content scripts and affects chrome.runtime.getURL(), causing issues for all the extensions built with CRXJS and other tools that use ESM in content scripts.

Some use case background: Modern JS build tools are ESM-first, but content scripts don't support ESM except by import(). To leverage a fuller build tool feature set, we use import(). Dynamic URLs help to protect user privacy by preventing browser fingerprinting through extension URLs.

Including dynamic URLs in the CSP would:

Resolve these breaking changes
Maintain the privacy benefits of dynamic URLs
Support modern development practices in content scripts

I know Chrome extensions have many edge cases, and it's hard to move forward while supporting all of them. I appreciate all your hard work! Can I provide any extra information to help prioritize fixing this breaking change?

Edit: updated use case information

Message last modified on Oct 21, 2024 12:22AM

wo...@gmail.com <wo...@gmail.com> #13Oct 21, 2024 07:20AM

The `import()` CSP problem should have been fixed in Chrome Canary a week ago, at least when the CSP of the page was the culprit. Could you test it? You can also use a snapshot build from

https://download-chromium.appspot.com

ol...@chromium.org <ol...@chromium.org> #14Oct 21, 2024 07:26AM

wOxxOm, could you share a link to the change you're referring to? Thanks all for the feedback - I'm hoping to have some discussions with the team this week to check in on how we might be able to prioritize this. I can't promise anything but we definitely hear you :)

ma...@trendmicro.com <ma...@trendmicro.com> #15Oct 21, 2024 09:22AM

Hi Dears

I still meet the similar issue chrome show chrome-extension://invalid.html when "use_dynamic_url" is true.
In this scenario, we can not jump to our expect page using document.location.replace(path) and path get from chrome.runtime.getURL.

I file the case and upload sample code in the case

https://issues.chromium.org/issues/374503948.
Is there new build to fix the issue ?

Thanks

ol...@chromium.org <ol...@chromium.org> #16Oct 21, 2024 12:28PM

Comment #15: That looks like a separate issue to me, and it's not one I've seen any other reports of. I'll make sure we take a look.

wo...@gmail.com <wo...@gmail.com> #17Oct 21, 2024 03:08PM

Re #14, it was a fix for

bug 40564567

da...@gmail.com <da...@gmail.com> #18Oct 22, 2024 03:39AM

In case it helps at all, I created a minimal repro for this issue. (My browsers updated to 130 today and I ran into this issue with an extension I made.)

https://github.com/drmercer/webext-csp-issue-repro-oct2024

Workaround: drop "use_dynamic_url": true from the entry in web_accessible_resources. Note: unfortunately, that does have privacy implications. (Figured I'd include this for anyone skimming this thread and not seeing a clear workaround. 😅)

Message last modified on Oct 22, 2024 03:42AM

ap...@google.com <ap...@google.com> #19Oct 24, 2024 06:13AM

Marked as fixed.

Project: chromium/src
Branch: main
Author: Devlin Cronin <rdevlin.cronin@chromium.org>
Link: https://chromium-review.googlesource.com/5955629

[Extensions] Fix import of dynamic URL resources

Expand for full commit details

[Extensions] Fix import of dynamic URL resources 
 
Extensions have a minimum CSP applied to their isolated worlds. This 
CSP restricts remotely-hosted code (by design) by limiting script 
sources to `self`. However, this causes problems when trying to 
`import()` resources that are exposed in web-accessible resources with 
`use_dynamic_url` set to true, since those resources will be (initially) 
served over the extension's dynamic origin. 
 
Modify the extension's isolated world CSP to explicitly allow resources 
from that extension's dynamic origin, and add a browsertest to exercise 
the same. 
 
Fixed: 363027634 
Change-Id: I73af26ce15e9164b544e9ee70f7c94ade162d6ef 
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5955629 
Reviewed-by: Tim <tjudkins@chromium.org> 
Commit-Queue: Devlin Cronin <rdevlin.cronin@chromium.org> 
Cr-Commit-Position: refs/heads/main@{#1373148}

Files:

M chrome/browser/extensions/content_security_policy_apitest.cc
M extensions/common/extension.cc
M extensions/common/manifest_handlers/csp_info.cc
M extensions/common/manifest_handlers/csp_info.h
M extensions/common/manifest_handlers/csp_info_unittest.cc
M extensions/renderer/extension_injection_host.cc
M extensions/renderer/extension_injection_host.h

Hash: ec6cd0c005b91926ac713b80b8faae56ece3cbdd
Date: Thu Oct 24 06:10:28 2024

sa...@gmail.com <sa...@gmail.com> #20Oct 26, 2024 12:57PM

If this issue is fixed from the chromium side, what action we "as a developers using CRXJS" have to take on our side?

Message last modified on Oct 26, 2024 12:58PM

ga...@eloo.ai <ga...@eloo.ai> #21Oct 28, 2024 11:23AM

When using canary version 132.0.6803.0 (from Oct 28) =>

I dont get the "wasm-unsafe-eval" error , BUT I do get the following on the web assembly assets:
"Resources must be listed in the web_accessible_resources manifest key in order to be loaded by pages outside the extension."
So the Extension still doesnt work.

The manifest does include these.

specifically - the error is " Denying load of chrome-extension://dleijonfhnilmaepjfjghojajjkjoncf/assets/chunk-ee6e37cf.js. Resources must be listed in the web_accessible_resources manifest key in order to be loaded by pages outside the extension."

and the manifest includes:
"web_accessible_resources": [
{
"matches": [
"https://*.

atlassian.net/*"
],
"resources": [
"assets/chunk-4acc5268.js",
"assets/chunk-e67a8012.js",
"assets/chunk-6e37134e.js",
"assets/chunk-ee6e37cf.js",
"assets/chunk-e36649d8.js"
],
"use_dynamic_url": true
}

ol...@chromium.org <ol...@chromium.org> #22Oct 28, 2024 11:27AM

RE comment #21: Could you share an example extension? That would be helpful so we can try to see what is happening. Based on the error message, I'm wondering if you are possibly using a relative path. In that case, you'd want to switch to import(chrome.runtime.getURL(... since this fix doesn't exempt content scripts from the other dynamic URL requirements.

ga...@eloo.ai <ga...@eloo.ai> #23Oct 28, 2024 02:05PM

After updating vite/react-plugin (beta-2.0.28) and vite versions, problem solved on latest chrome version.

Message last modified on Nov 1, 2024 08:32AM

le...@adobe.com <le...@adobe.com> #24Oct 28, 2024 04:39PM

Will this be merged into M130 or M131? If so, is there an approximate timeframe for when we can expect it to release? Waiting until January for 132 for the fix is less than ideal.

rd...@chromium.org <rd...@chromium.org> #25Nov 8, 2024 11:08PM

@ #comment24: Unfortunately, this is unlikely to be merged into earlier releases.