chrome extension policy declaration not working

Question

I'm having trouble loading an external js file in my chrome extension. Here's my csp entry in my manifest:

"content_security_policy": "script-src 'self' 'unsafe-eval' 'unsafe-inline' http://proto.office.atlassian.com; object-src 'self'" 

Here's how I'm calling the script in my popup.html:

<script src="http://proto.office.atlassian.com/prototypes.js"></script>

and here's the error I'm getting:

Refused to load the script 'http://proto.office.atlassian.com/prototypes.js' because it violates the following Content Security Policy directive: "script-src 'self'"

I've confirmed that my CORS are set correctly with the server, and I can pull up the script via an XMLHttpRequest just fine, but I can't seem to load one via the script tag or eval it once I grab it. Any help would be appreciated :)

Answer 1

External script must be explicitly allowed by content security policy in you manifest.

If you have a need for some external JavaScript or object resources, you can relax the policy to a limited extent by whitelisting secure origins from which scripts should be accepted...

A relaxed policy definition which allows script resources to be loaded from example.com over HTTPS might look like:

"content_security_policy":"script-src 'self' https://example.com; object-src 'self'"

Scripts can only be loaded into an extension over HTTPS, so you must load the jQuery CDN resource over HTTPS:

<script src="https://ajax.googleapis.com/..."></script>
{
"manifest_version": 2,
"name": "One-click Kittens",
"description": "This extension demonstrates a 'browser action' with kittens.",
"version": "1.0",
"browser_action": {
"default_icon": "icon.png",
"default_popup": "popup.html"
},
"content_security_policy": "script-src 'self' https://ajax.googleapis.com; object-src 'self'"
}