Chrome扩展程序：yql API错误：内容安全

Question

I am trying to make a call to yql api. But get an error: I have the following

Manfiest.json:
"content_security_policy": "script-src 'self'; object-src 'self'", 

Error:
Refused to load the script 'http://query.yahooapis.com/v1/public/yql?q=select%20*%20from%20html%20where…withkeys&callback=jQuery20208888747137971222_1400373036635&_=1400373036638' because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".'

I tried doing it w/o having the "content_security_policy" But I would still get an error.

The code to do the call:

yqlAPI = 'http://query.yahooapis.com/v1/public/yql?q=' + encodeURIComponent(query) + ' &format=json&env=store%3A%2F%2Fdatatables.org%2Falltableswithkeys&callback=?';

$.getJSON(yqlAPI, function(r){
$.each(r.query.results.li, function(){ 
  if(typeof this.font !== 'undefined')
      {        
        gogoAnime1.push([this.a.href,this.font.content]);

      }
});
gotFollowersOfA(gogoAnime1);});

I have been looking in the CSP ( https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-remote-script ) But I don't understand what I have to add to my manifest.json. To make it work all help would be appreciated!

Answer 1

I wonder if that's because of requesting an external object.

Content Security Policy (CSP) - Google Chrome

If you have a need for some external JavaScript or object resources , you can relax the policy to a limited extent by whitelisting secure origins from which scripts should be accepted.

so adjust it accordingly, manfiest.json:

"content_security_policy": 
       "script-src 'self'; object-src 'self' https://query.yahooapis.com/"

And you'll need to use HTTPS origin:

As man-in-the-middle attacks are both trivial and undetectable over HTTP, those origins will not be accepted . Currently, we allow whitelisting origins with the following schemes: HTTPS, chrome-extension, and chrome-extension-resource.