CSP for Google Translate (Chrome built-in)
utilitiesUsing Google Translate (Chrome built-in) with Content Security Policy
Google Translate gets loaded dynamically by Chrome Browsers (even if not in your code). It is generally safe to allow.
Allow these directives in your CSP, to support Google Translate (Chrome built-in) in your Content Security Policy:
script-src https://translate.googleapis.com https://translate.google.com; style-src 'unsafe-inline' translate.googleapis.com; img-src translate.google.com translate.googleapis.com www.gstatic.com; connect-src translate.googleapis.com translate.google.com www.gstatic.com;
The main domains used by Google Translate (Chrome built-in) are:
translate.googleapis.com google.com
Sources:
Google Translate Vs CSP. Fight!(Blog Post)CSP block google translate(Stackoverflow)RapidSec CSP Generator(RapidSec Data Network)Example Content-Security-Policy violations / reports:
Using the above CSP package, will fix these errors that you may be seeing in your console logs:
script-src/script-src-elem/script-src-attrviolations
Refused to load the script 'https://translate.googleapis.com/element/*/e/js/element/element_main.js' because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
If you see inline style errors, you need to add SHA-256 hashes / nonces to your CSP with RapidSec:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution.If you see inline eval() errors, RapidSec will generate your CSP with the specific content of the errors:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'report-sample'".
style-src/style-src-elem/style-src-attrviolations
Refused to load the stylesheet 'https://translate.googleapis.com/translate_static/css/translateelement.css' because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
If you see inline style errors, you need to add SHA-256 hashes / nonces to your CSP with RapidSec:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution.img-srcviolations
Refused to load the image 'translate.googleapis.com' because it violates the following Content Security Policy directive: "img-src 'self'".
frame-srcviolations
[Report Only] Refused to frame 'translate.googleapis.com' because it violates the following Content Security Policy directive: "frame-src 'self'".
form-actionviolations
[Report Only] Refused to send form data to 'translate.googleapis.com' because it violates the following Content Security Policy directive: "form-action 'self'".
connect-srcviolations
[Report Only] Refused to connect to 'translate.googleapis.com' because it violates the following Content Security Policy directive: "connect-src 'self'"