Reputation: 785
Refused to load the script because it violates the following Content Security Policy directive: "script-src 'self'
I am trying to develop a chrome appplication in which i want to display a custom Rss feeds but feeds are not get loaded and dispalying error like above.
Error Details in which is displayed
Refused to load the script
'https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js'
because it violates the following Content Security Policy directive:
"script-src 'self'
https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js".
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'
https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js".
jquery.min.js:35
Refused to load the script 'https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js'
because it violates the following Content Security Policy directive:
"script-src 'self'
https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js".
Refused to load the script 'http://ajax.googleapis.com/ajax/services/feed/load?v=1.0&num=2&output=json&q=http%3A%2F%2Fblog.tax2290.com%2Ffeed%2F&hl=en&callback=jsonp1373953012503'
because it violates the following Content Security Policy directive:
"script-src 'self'
https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js".
manifest.json
{
"name": "Tax New 2290",
"manifest_version": 2,
"version": "1.1",
"description": "Tax 2290",
"web_accessible_resources": ["images/logo.png"],
"icons": {
"16": "icon16.png",
"19":"icon19.png",
"48": "icon48.png",
"128": "icon128.png",
"256": "icon256.png"
},
"browser_action":
{
"default_icon":"images/logo.png",
"default_popup":"index.html"
},
"permissions": ["tabs", "<all_urls>","http://www.tax2290.com","http://*/*", "https://*/*","http://*.google.com/"],
"content_security_policy": "script-src 'self' https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js; https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js; object-src 'self'"
}
index.html
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js"></script>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script type="text/javascript" src="images/feed.js"></script>
<link rel="stylesheet" href="images/style.css" type="text/css" />
<title>Chrome Popup</title>
</head>
feed.js
$(function() {
var $items = $('#vtab>ul>li');
$items.mouseover(function() {
$items.removeClass('selected');
$(this).addClass('selected');
var index = $items.index($(this));
$('#vtab>div').hide().eq(index).show();
}).eq(0).mouseover();
});
$(document).ready(function () {
$('#divRss2').FeedEk({
FeedUrl: 'http://blog.tax2290.com/feed/',
MaxCount: 2,ShowDesc: true,
ShowPubDate: true,
DescCharacterLimit: 250
});
});
> Please tel me how could avoid these errors and load the custom RSS feeds.
Upvotes: 4
Views: 28284
Answers (3)
Reputation: 77
first try to remove this part from your manifest file
"content_security_policy": "script-src 'self' https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js; https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js; object-src 'self'"
then download all of your external links to a local environment folder after that reference it there.
for example download https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js to your parent folder and change your reference from
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js"></script>
to
<script src="jquery.min.js"></script>
and also I recommend moving all of your referencing from head tag to the bottom of body tag.
Upvotes: 0
Reputation: 882
Your "content_security_policy" has several problems.
1) The first is that you should remove the semicolon between the 1.4.1 and 1.9.1 jquery declarations. Multiple URLs should be separated with a single space only and no other characters.
2) The second is that you are trying to load this script "http://ajax.googleapis.com/ajax/services/feed/load?v=1.0&num=2&output=json&q=http%3A%2F%2Fblog.tax2290.com%2Ffeed%2F&hl=en&callback=jsonp1373953012503" but you never allow that in your CSP.
3) And thirdly, it appears you need to allow inline scripts.
I would change your "content_security_policy" to look like this:
"content_security_policy": "script-src 'self' https://ajax.googleapis.com/ 'unsafe-inline'; object-src 'self'"
'unsafe-inline' should fix the "Refused to execute inline script" error.
https://ajax.googleapis.com/ should allow both versions of jquery to load as well as your /ajarx/services/feed/load URL.
Upvotes: 2
Reputation: 352
If you build a packaged app, you can not load external script. Your application must embed every scripts, styles or images.
Check this link to ensure you are following chrome app CSP rules: https://developer.chrome.com/extensions/contentSecurityPolicy
Upvotes: 1
Related Questions
- Chrome Extension "Refused to load the script because it violates the following Content Security Policy directive"
- Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'"
- Chrome Extension “Refused to load the script because it violates the following Content Security Policy directive”
- Chrome Extension: Refused to load the script, because it violates the following Content Security Policy directive: "script-src 'self'"
- "Refused to load the script" error in chrome extension
- Extension refuses to load the script due to Content Security Policy directive
- Chrome Extension: Refused to load the script because it violates the following Content Security Policy directive: "script-src 'self'
- chrome extension Refused to load the script even content_security_policy is set
- Refused to execute JavaScript URL because it violates the following Content Security Policy directive:
- Refused to evaluate script because it violates the following Content Security Policy directive: "script-src 'self'"