Content Security Policy in Chrome App
Solution 1
Have you tried adding the CSP line to your manifest as per your CSP link?
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
Solution 2
What you're showing is not a Chrome extension, but a Chrome app.
Chrome extensions will let you relax the default Content Security Policy; Chrome Apps won’t. (source: CSP docs for Chrome apps; note: this page is different from CSP docs for Chrome extensions).
The next line applies to apps and extensions:
- The Content security policy does not apply to a specific script, but a whole page. So, you can only declare a sandbox for a whole page (using the
sandbox.pages
key in the manifest file). You cannot use "js" as a key in sandbox.
In a Chrome extension, the CSP can be relaxed, e.g. allowing eval
using the following policy:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
To turn your app in an extension: Do not use the apps
key, but use a background
key. With the following manifest, you'll be able to use eval
in your background page:
{
"name": "Whatever",
"version": "1.0.3",
"manifest_version": 2,
"background": {
"scripts": [
"background.js"
]
},
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}
(omitted icons
/ permissions
because they're not relevant for the example; omitted sandbox
because it's not needed)
Admin
Updated on July 20, 2022Comments
-
Admin almost 2 years
My Chrome app has the following manifest:
{ "name": ", "version": "1.0.3", "manifest_version": 2, "description": "Chrome Extension for.", "icons": { "16": "images/test.png", "19": "images/test.png", "256": "images/test.png" }, "app": { "background": { "scripts": [ "background.js" ] } }, "sandbox": { "js": [ "lib/test-api.js" ] }, "permissions": [ "<all_urls>", "notifications", "storage", "videoCapture" ] }
I have a script file that runs
eval
. I have read about CSP and sandboxing, but I still get this error:Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.