Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecurityError: violation of Same Origin Policy #56

Open
bowang opened this issue May 18, 2024 · 3 comments
Open

SecurityError: violation of Same Origin Policy #56

bowang opened this issue May 18, 2024 · 3 comments

Comments

@bowang
Copy link

bowang commented May 18, 2024

I ran into the following SecurityError when trying to make a screenshot on YouTube.

SecurityError: The operation is insecure. content_script.js:57
    downloadFile moz-extension://56e788e7-7791-45e8-b204-f469a9a29126/content_script.js:57
    captureScreenshot moz-extension://56e788e7-7791-45e8-b204-f469a9a29126/content_script.js:52
    (Async: EventListener.handleEvent)
    addButtonOnPlayer moz-extension://56e788e7-7791-45e8-b204-f469a9a29126/content_script.js:148
    <anonymous> moz-extension://56e788e7-7791-45e8-b204-f469a9a29126/content_script.js:284
    observer moz-extension://56e788e7-7791-45e8-b204-f469a9a29126/content_script.js:221
    (Async: MutationCallback)
    waitForControls moz-extension://56e788e7-7791-45e8-b204-f469a9a29126/content_script.js:209
    <anonymous> moz-extension://56e788e7-7791-45e8-b204-f469a9a29126/content_script.js:282
    (Async: promise callback)
    <anonymous> moz-extension://56e788e7-7791-45e8-b204-f469a9a29126/content_script.js:281
    inject resource://gre/modules/ExtensionContent.sys.mjs:583
    AsyncFunctionNext self-hosted:852

It seems to be a violation of Same Origin Policy [1].
I tried to add the following line on line 45

    video.crossOrigin = "Anonymous";

before video is fed to canvas.drawImage()
but no luck.

Could something like [2] help?

Reference:
[1] https://www.geeksforgeeks.org/why-does-canvas-todataurl-throws-a-security-exception/
[2] https://gist.github.com/casamia918/a8daf164830bce1b6281e304ed1f91b0
@joggee-fr
Copy link
Contributor

HI @bowang,

I have just gave it a quick check but it is working in my case (Firefox 126.0 for macOS if it can help). Using the console, the video element has crossOrigin property set to null.

I wonder if adding "*://*.youtube.com/*" to Manifest permissions can fix the issue you have observed i.e. avoid CORS issues.

@bowang
Copy link
Author

bowang commented May 21, 2024

I added "*://*.youtube.com/*" to Manifest permissions through about:debugging#/runtime/this-firefox but still ran into the same error after reloading.

Please let me know if the permissions should be added in a different way. Thanks.

@joggee-fr
Copy link
Contributor

@bowang
I can't answer that question. When I am testing modifications, I am using Load Temporary Add-on... in about:debugging#/runtime/this-firefox or better web-ext.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bowang @joggee-fr