I’ve loaded Disquss on my WordPress website, which is running on HTTPS. The problem is that while the comments are shown at the bottom of the webpage, they are white (and since the background of the page is also white, they are not visible).
If I open Inspector in Chrome, the following error is printed to the Console tab.
Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src https://*.twitter.com:*
https://api.adsnative.com/v1/ad.json *.adsafeprotected.com *.google-analytics.com https://glitter-services.disqus.com
https://*.services.disqus.com:* disqus.com http://*.twitter.com:*
a.disquscdn.com api.taboola.com referrer.disqus.com *.scorecardresearch.com
*.moatads.com https://admin.appnext.com/offerWallApi.aspx 'unsafe-eval'
https://mobile.adnxs.com/mob *.services.disqus.com:*". Either the 'unsafe-
inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required
to enable inline execution.
This happens because of the Popup Blocker Extension in Chrome, but I would like to enable it with content security policy: http://www.html5rocks.com/en/tutorials/security/content-security-policy/ . Basically, the error occurs in the chrome-extension://* scheme, so I need to add an appropriate entry to the Content-Security-Policy to allow chrome extensions.
How should I disable the security policy for chrome extensions?
This isn’t something you can (or should) meaningfully solve. It’s up to the extension vendor to properly implement themselves. The fact is the extension is attempting to inject inline code and it’s being stopped by the Content Security Policy because the CSP is made to block it. As it should, since the extension is indistinguishable from malware from it’s perspective.
You could (but should not) simply add rules to your site’s Content Security Policy to allow the extension to run…but this is potentially dangerous, incredibly case-specific, and should basically only ever be done in an enterprise context in which everyone has a (poorly coded) browser extension that is required to work with your site. And even then re-coding the extension would generally be preferred.
Not. Additionally you can not.
The CSP of extensions is part of the (local) extension.
Or short: Websites are not able to mess with extensions. Which is good – I don’t want facebook to disable my CSP and send my personal porn preferences (from PornLiner addon) to my profile.