I am working on Chrome extension which opens a new window. That window contains my page.html where there are some scripts and that's the problem because in the console I can see the error... and now.
When I don't add any additional stuff to my manifest.json or page.html I get this error:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-t+n/+H6ALc8VWtFbu1Zd7/MPwtSjSk8PIrfccO7FJrg='), or a nonce ('nonce-...') is required to enable inline execution.`,
If I add
 "content_security_policy": "script-src 'self' chrome-extension://capfbnhhhkfclmggnafjgkolommmmoch; object-src 'self';"
to my manifest.json, I get 
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension://capfbnhhhkfclmggnafjgkolommmmoch". Either the 'unsafe-inline' keyword, a hash ('sha256-t+n/+H6ALc8VWtFbu1Zd7/MPwtSjSk8PIrfccO7FJrg='), or a nonce ('nonce-...') is required to enable inline execution.
When I added some meta tag into my page.html there was a same or similar error.
And my question is: How can I fix it? Because I think that "script-src 'self' blob: filesystem: chrome-extension-resource:" is some kind of template so I have to add some data thereafter :s... But I really don't know which. I saw here something about it but I don't have clue what should I do with it or where I should write it. So please help me, I would be so happy if I fixed that error.
Code where window opens:
$.get(chrome.extension.getURL('/page.html'), function(data) {
    var myWindow;
    myWindow = window.open("", "TopSerialy.sk Vyhľadávač","width=386,height=290");
    myWindow.moveTo((screen.width/2)-(386/2), ((screen.height-93)/2)-(290/2));
    myWindow.document.write(data);
});
page.html contains only simple script to close window when butten is pressed, declared by <script>functions, etc...</script> tag in HTML, not <script scr="some_url/script.js"></script>!
Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header. Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting.
Extensions: Select the three-dot menu > More Tools > Extensions > toggle on/off extensions in list. Or: Type "chrome://extensions/" into address bar > press Enter > toggle on/off extensions in list. Plug-ins: Select the three-dot menu > Settings > Site Settings > choose desired plug-in > toggle on/off.
To test for misconfigurations in CSPs, look for insecure configurations by examining the Content-Security-Policy HTTP response header or CSP meta element in a proxy tool: unsafe-inline directive enables inline scripts or styles making the applications susceptible to XSS attacks.
The content security policy for Chrome Apps restricts you from doing the following: You can't use inline scripting in your Chrome App pages. The restriction bans both <script> blocks and event handlers (<button onclick="...">). You can't reference any external resources in any of your app files (except for video and audio resources).
A Content Security Policy (CSP) lets developers improve security by putting restrictions on what resources can be loaded on a page. For example, a CSP can only allow requests from certain domains, or block inline script tags. Developers can also specify a URL that the browser can send reports to if a page attempts to load a blocked resource.
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'" However, you should avoid relaxing policies. The functions are notorious XSS attack vectors. Tightening the default policy You may, of course, tighten this policy to whatever extent your Extension allows in order to increase security at the expense of convenience.
On the web, such a policy is defined via an HTTP header or metaelement. Inside the Microsoft Edge Extension system, neither is an appropriate mechanism. Instead, an Extension policy is defined using the manifest.jsonfile for the Extension as follows: { ..., "content_security_policy": "[POLICY STRING GOES HERE]" ...
This does not work, because Chrome forbids any kind of inline code in extensions via Content Security Policy.
What you can do is:
(popup.js).<script src="popup.js"></script>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With