CSP issue

[DerStimmler]

Hi, I wanted to create a simple manifest v3 extension but get the following two errors when I open the default popup:

Refused to load the script 'https://localhost:5173/@vite/client' because it violates the following Content Security Policy directive: "script-src 'self' http://localhost:5173". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Refused to load the script 'https://localhost:5173/src/entries/popup/main.ts' because it violates the following Content Security Policy directive: "script-src 'self' http://localhost:5173". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

This happens in my extension but also when I create a new project with npm init @samrum/vite-plugin-web-extension@latest and leave everything as it is.

It hasn't worked on Chrome v129 and now after I updated to v130.0.6723.59 still the same problem.

[T0RNATO]

I am having the same issue. I have 700 users who are now unable to use their extension... don't we just love Chrome randomly updating things like this.

[SleepyStew]

+1

[SleepyStew]

@DerStimmler

For anyone encountering this issue, here's a super simple fix that works for me and T0RNATO:

In vite config

webExtension({
    manifest: getManifest(version),
+   useDynamicUrlWebAccessibleResources: false,
}),

[MartinMalinda]

This helped, big thanks @SleepyStew !

[DerStimmler]

@SleepyStew

Awesome, thanks a lot!

[DerStimmler]

I'm wondering why we have to explicitly set it to false, as the README claims that should be the default.

vite-plugin-web-extension/README.md

Lines 165 to 168 in fd56ebb

	useDynamicUrlWebAccessibleResources (optional)
	- Type: `boolean`
	- Default: `false`

[SleepyStew]

@DerStimmler yeah it is strange isn't it. Searching through this repo I found quite a few (although old) files where it was documented to set useDynamicUrlWebAccessibleResources true by default.

[DerStimmler]

Yes, the type definition claims that the default is true:

vite-plugin-web-extension/types/index.d.ts

Lines 33 to 37 in fd56ebb

	/**
	* Sets the use_dynamic_url property on web accessible resources generated by the plugin
	* Default: true
	*/
	useDynamicUrlWebAccessibleResources?: boolean;

I'm not 100% sure, but I think the default is set here in line 17:

vite-plugin-web-extension/src/utils/getAdditionalInputAsWebAccessibleResource.ts

Lines 3 to 19 in fd56ebb

	export default function getAdditionalInputAsWebAccessibleResource(
	input: NormalizedAdditionalInput
	): {
	matches: string[] | undefined;
	extension_ids: string[] | undefined;
	use_dynamic_url?: boolean;
	} | null {
	if (!input.webAccessible) {
	return null;
	}
	return {
	matches: input.webAccessible.matches,
	extension_ids: input.webAccessible.extensionIds,
	use_dynamic_url: true,
	};
	}