How to fix chrome-extension inline JavaScript invocation error?
Solution 1
By default Content Security Policy, inline scripts won't be loaded and only local script can be loaded. You could relax the default policy by:
-
Inline Script. Take a look at Official Guide, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. See Hash usage for elements for an example.
But I believe a better way would extract this logic to a separate script and not use inline script.
-
Remote Script. You could whitelist script resources
https://apis.google.com/js/client.js?onload=handleClientLoad
by the following section inmanifest.json
"content_security_policy":"script-src 'self' https://apis.google.com; object-src 'self'"
Also, I believe a better way could be downloading the remote
client.js
and include it as a local script.
Please be aware as per the description of Inline Script, unsafe-inline
no longer works.
Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.
Solution 2
I solved this by outsourcing everything into the JavaScript file. So instead of the onclick method in the html I have in the JS file:
window.onload = function () {
document.getElementById("button").onclick = <function>;
}
Solution 3
You can use this instead of onclick in an external file:
document.getElementById("#divId").addEventListener("click", myFunction);
Nani3
Updated on April 27, 2021Comments
-
Nani3 about 3 years
I'm making a chrome extension however I seem to get the following error when I try to fire up an onclick() event.
Refused to load the script 'https://apis.google.com/js/client.js?onload=handleClientLoad' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:"
and
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
This is my manifest.json :
{ "manifest_version": 2, "name": "SECURE", "description": "this extension offers secure communication for GMAIL users", "version": "1.0", "browser_action": { "default_icon": "resources/icon16.png", "default_popup": "popup.html", "default_title": "Click here!" }, "background":{ "scripts":["background.js"] }, "content_scripts": [ { "matches": ["http://*/*", "https://*/*"], "js":["myscript.js"], "run_at": "document_end" } ], "permissions": ["identity", "https://accounts.google.com/*", "https://www.googleapis.com/*"], "oauth2": { "client_id": "975410329966.apps.googleusercontent.com", "scopes": [ "<all urls>", "https://www.googleapis.com/auth/drive", "https://mail.google.com/", "https://www.googleapis.com/auth/gmail.login", "https://www.googleapis.com/auth/gmail.compose", "https://www.googleapis.com/auth/gmail.readonly", "https://www.googleapis.com/auth/gmail.send" ], "content_security_policy":"script-src 'self' 'unsafe-inline' 'unsafe eval' https://apis.google.com/js/client.js?; object-src 'self'" } }
Any help towards fixing this error would greatly be appreciated.