CODEWITHSUNDEEP
javascriptgoogle-chrome-extensioncontent-security-policy
ideaz
ideaz

Reputation: 484

Content Security Policy error, without any inline javascript

I've been seeing this error while I try to load my chrome extension:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://ajax.googleapis.com".

Here is part of my manifest.json:

...

 "background": {
 "scripts": ["launcher.js"]
     },
"options_page": "options.html",
"content_security_policy": "script-src 'self' https://ajax.googleapis.com; object-src 'self'",
"permissions": [
"tabs", "notifications", "http://*/*", "https://*/*"

...

In whole of my javascript I've only been communicating with https://ajax.googleapis.com and I've ensured with the Network tab of Inspect views.

And I've verified all my javascript code sits inside my .js file only. (And yes I'm using addEventListener() wherever necessary.

Any suggestions?

UPDATE: Showing code responsible for the error (asked by Rob) This is the only place where I'm communicating with ANY server:

....
$.ajax({
        type: "get",
        url: "https://ajax.googleapis.com/ajax/services/feed/load?v=1.0&num=" + storyCount + "&callback=?",
        data: {
                q: link,
                output: "json_xml"
             },
        async: false,
        dataType: "json",
        success: function (data) {
             if (data.responseStatus == 200) {
                //process JSON
              }
....

Upvotes: 2

Views: 2922

Answers (2)

Dipesh
Dipesh

Reputation: 379

With the Change from Manifest Version 1 to 2 . Chrome Extension do not allow you to use inline javascript. You need to place all your javascript inside a .JS file and include it inside the html page.

Also remove all onclick, onchange,onsubmit to eventlistner events.

Thanks

Upvotes: 2

Wladimir Palant
Wladimir Palant

Reputation: 57691

This error message has nothing to do with the requests you do to other servers - it is about inline scripts. If you don't have any inline scripts then most likely it comes up because somewhere you are creating code dynamically, by means of eval(), new Function() or similar. For example, jQuery will do that to parse JSON if it doesn't find JSON.parse() method (in Chrome this method should normally be available however). From the info you gave here it is impossible to tell which code is responsible for the error.

Regardless of that, you should definitely not use JSONP as Rob W correctly noted in the comments. JSONP will execute code from a remote server in the context of your extension which is inherently insecure - theoretically it would only call the callback but practically it could also do something malicious. You should use JSON instead (data being downloaded and parsed, no remote code execution) and remove ajax.googleapis.com from your Content Security Policy.

Upvotes: 0

Related Questions