Chrome Extension “Refused to load the script because it violates the following Content Security Policy directive”

Question

i try to encrypt user data by cryptojs library and send to server by ajax but the console shows the error:

Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js' because it violates the following Content Security Policy directive: "script-src 'self' https://apis.google.com 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

my manifest code contains :

"content_security_policy": "script-src 'self' https://apis.google.com 'unsafe-eval'; object-src 'self'"

how to solve this problem?

Answer 1

The script-src-elem directive specifies valid sources for JavaScript elements.

Try this for V3 by adding script-src-elem:

  "content_security_policy": {
    "extension_pages": "script-src 'self' 'unsafe-eval' https://maps.googleapis.com; object-src 'self'; script-src-elem 'self' 'unsafe-eval' https://maps.googleapis.com"
  }

Delete the https://maps.googleapis.com if you don't care about it.

Some context from here:

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting)

Syntax

Content-Security-Policy: <policy-directive>; <policy-directive>.

where consists of: with no internal punctuation.

Answer 2

For those who tumble upon the same issue. I had the same and it was resolved after I updated content_security_policy to include the googleapis url I was trying to load.

My code:

<head>
...
<script src="https://maps.googleapis.com/maps/api/js?key=API_KEY;libraries=places"></script>
</head>

Needed

{
  "content_security_policy": "script-src 'self' 'unsafe-eval' https://maps.googleapis.com 'unsafe-inline'; object-src 'self'",
}