Question

我尝试将简单的XMLHTTPRequest发送到Sec Gov页面。

Refused to connect to 'https://www.sec.gov/cgi-bin/browse-edgar?CIK=LEL&Find=Search&owner=exclude&action=getcompany&count=100' because it violates the following Content Security Policy directive: "connect-src *://localhost:3000 https://www.sec.gov/*".

render @ TickerTableInfo.js?420e:36

使用React redux chrome extension boilerplate

manifest.json看起来像这样。

{
  "version": "0.0.0",
  "name": "react-chrome-extension-example",
  "manifest_version": 2,
  "description": "Example for react-chrome-extension-boilerplate",
  "browser_action": {
    "default_title": "React Chrome Extension Example",
    "default_popup": "popup.html"
  },
  "icons": {
    "16": "img/icon-16.png",
    "48": "img/icon-48.png",
    "128": "img/icon-128.png"
  },
  "web_accessible_resources": [
    "inject.html"
  ],
  "background": {
    "page": "background.html"
  },
  "permissions": [ "contextMenus", "management", "tabs", "storage", "https://github.com/*", "https://www.sec.gov/*" ],
  "content_security_policy": "default-src 'self' https://www.sec.gov/*; script-src 'self' http://localhost:3000 https://localhost:3000 'unsafe-eval'; connect-src *://localhost:3000 https://www.sec.gov/*; style-src * 'unsafe-inline' 'self' blob:; img-src 'self' data:;"
}

Answer 1

必须从

中删除/*

"content_security_policy": "default-src 'self' https://www.sec.gov/*; script-src 'self' http://localhost:3000 https://localhost:3000 'unsafe-eval'; connect-src *://localhost:3000 https://www.sec.gov/*; style-src * 'unsafe-inline' 'self' blob:; img-src 'self' data:;"

谢谢wOxxOm的回答

chrome插件的内容安全策略

1 个答案: