Best practice for accessing methods of a NPAPI plugin

nuancedragondev · August 5, 2016, 9:56pm

My add-on currently accesses methods on an installed NPAPI plugin. This has worked and still works in most websites. Recently this has stopped working in gmail. When I make the call

document.documentElement.appendChild(plugindiv);

I get the following error

Content Security Policy: The page’s settings blocked the loading of a resource at https://mail.google.com/mail/u/0/#inbox (“object-src https://mail-attachment.googleusercontent.com/swfs/ https://mail-attachment.googleusercontent.com/attachment/”).1(unknown)

Is there a recommended way to do this to avoid the CSP failure?

I understand that NPAPI plugins will be obsolete in the near future. I have plans to port this add-on to WebExtensions. For now, I need a way to keep the current add-on working until support for runtime.connectNative is released to the public.

jorgev · August 12, 2016, 10:25pm

You would need to check the CSP settings for Gmail, to see if you can change your code to something that will meet those restrictions. If that doesn’t work, the next possible solution is to intercept the response from Gmail and change the CSP settings to continue allowing what your add-on is doing (with the caveat that this makes Gmail less safe).