I am trying to upgrade a Chrome extension to Manifest V3. Our current application makes use of webRequest and webRequestBlocking to modify the content-security-policy directives in order to inject resources from another application into a frame.
Since webRequestBlocking is no longer supported in Manifest V3, I have been trying to utilize declarativeNetRequest to modify the response headers, but keep running into the following errors:
Refused to send form data to 'https://securesite.com' because it violates the following Content Security Policy directive: "form-action 'self' *.example.com".
Refused to frame 'https://securesite.com' because it violates the following Content Security Policy directive: "frame-src 'self' *.example.com".
I have tried to operations "append", "set", and "remove" and have not had success with any. I also do see that the rules are being trigger onRuleMatchedDebug. Any insight would be helpful!
manifest.json
{
"manifest_version": 3,
"permissions": [
"activeTab",
"webRequest",
"declarativeNetRequest",
"browsingData",
"storage",
"tabs",
"scripting"
],
"host_permissions": [
"http://*/*",
"https://*/*"
],
"declarative_net_request": {
"rule_resources": [{
"id": "csp_rules",
"enabled": true,
"path": "cspRules.json"
}]
},
"background": {
"service_worker": "background.js"
}
}
cspRules.json
[
{
"id": 1,
"priority": 1,
"action": {
"type": "modifyHeaders",
"responseHeaders": [
{
"header": "content-security-policy",
"operation": "append",
"value": "script-src https://securesite.com http://localhost:3000; style-src https://secure.alphasights.com http://localhost:3000; img-src https://secure.alphasights.com http://localhost:3000; form-action https://secure.alphasights.com http://localhost:3000; frame-src https://secure.alphasights.com http://localhost:3000; connect-src https://secure.alphasights.com http://localhost:3000"
}
]
},
"condition": {
"urlFilter": "example.com",
"resourceType": ["main_frame", "sub_frame"]
}
}
]