Chrome extension mv3 refused to load the script

Question

I am trying to create an extension that can use Azure cognitive service sdk to make speech to text. Everything worked fine with the mv2 extension but since i have to migrate to mv3 i'm having some trouble. Step by step i'm trying to make it all works. Now i'm stuck with an error

Refused to load the script 'blob:chrome-extension://extension_id/{...}' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback

I'm having this issue since i'm trying to implement the Azure sdk in my web accessible resources which is an iframe to make all the retranscription. I saw that some people are talking about a bug, some that we can't use external script.

Here is my code

audiosources.html

<!DOCTYPE html>
<html>
    <body>
        <script src="distrib/browser/microsoft.cognitiveservices.speech.sdk.bundle.js"></script>
        <script src="audiosources.js"></script>
    </body>
</html>

audiosources.js

chrome.runtime.onMessage.addListener((message, sender, sendResponse) => {
    switch(message.type) {
        case "startStreaming":
            startStreaming(message, sender, sendResponse);
            break;
        case "init":
            console.log("init");
            break;
    }
    sendResponse();
});

function startStreaming(message, sender, sendResponse) {
    for (const tabId in Live) {
        chrome.tabs.sendMessage(parseInt(tabId), {
            type: "removeTranscript",
        });
        stopStreaming(tabId);
    }
    captureUser(sender.tab.id);
}

function captureUser(tabId) { 
    audioConfigUser = SpeechSDK.AudioConfig.fromMicrophoneInput(microphoneId);
    recognizerUser = new SpeechSDK.SpeechRecognizer(
        speechConfig,
        audioConfigUser
    );
    console.log("recognizerUser : ", recognizerUser);
    recognizerUser.startContinuousRecognitionAsync();
    recognizerUser.recognized = (s, e) => {
        toContentUser(tabId, e.result.text);
    };
}

the error occurs when i use the function

startContinuousRecognitionAsync()

manifest.json

{
    "manifest_version": 3,
    "version": "1",
    "name": "Extension stt Azure MV3",
    "minimum_chrome_version" : "93",
    "content_scripts": [
        {
            "matches": ["<all_urls>"],
            "js": ["content.js",
                    "public/js/jquery-3.6.0.min.js"],
            "css": ["public/css/index.css"]

        }
    ],
    "background": {
        "service_worker" : "background.js"
    },
    "web_accessible_resources": [
        {
            "resources":["audiosources.html", "public/icons/copy_icon_24dp.png", "public/css/index.css"],
            "matches":["<all_urls>"],
            "use_dynamic_url": true
        }
    ],
    "permissions":["tabCapture", "tabs"],
    "action":{
        "default_popup":"popup.html",
        "default_icon" : "./public/icons/logo.png"
    }
}

Thanks for your help !

Answer 1

This is purely security issue with the chrome extensions. This is general error. In manifest.js do some modifications. As the static data binding is trusted already, dynamic allocation of external sources need to be whilisted.

Change in manifest.js file

{
  "name": "example",
  "version": "1.0",
  "description": "example extension",
  "manifest_version": 3,
  "content_scripts": [
    {
      "matches": ["https://*/*"],
      "run_at": "document_start",
      "js": ["inject.js"]
    }
  ],
  "web_accessible_resources": [
    {
      "resources": [ "myscript.js" ],
      "matches": [ "https://*/*" ]
    }
  ]
}

Check the below in config file

Access-Control-Allow-Methods "GET, POST, OPTIONS"
Strict-Transport-Security "max-age=31536000;"
Content-Security-Policy "script-src 'self'"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
-Server

Reference