CODEWITHSUNDEEP
google-chrome-extensioncontent-security-policypopupwindow
jrw
jrw

Reputation: 51

JS in chrome extension popup violates Content Security Policy

I am trying to write a Chrome Extension (actually running on Edge) where I interact with a popup window. When I try to include a JS file and open the popup, I get:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' http://localhost:* http://127.0.0.1:\*". Either the 'unsafe-inline' keyword, a hash ('sha256-raRWY4zvZk7J6ZGXHfOiHeW3yHHN+OorzPZeik7kg/k='), or a nonce ('nonce-...') is required to enable inline execution.

I have tried specifying a policy in the html, in the manifest, both - no change regardless. I've pruned the code down to essentials - still nothing.

The error references a security policy - where is that coming from?

If I put 'unsafe-inline' into the manifest (the very thing is demanded in the error), that is rejected as insecure:

Error'content_security_policy.extension_pages': Insecure CSP value "'unsafe-inline'" in directive 'script-src'.

Any hints about where I should look? All online examples show this as trivial, but none deal with security policy.

Thanks!

(Files below)

manifest.json

{
  "manifest_version": 3,
  "name": "Test Plugin",
  "version": "0.03",
  "description": "Test default_popup",
  "content_security_policy": {
    "extension_pages": "script-src 'self' ; object-src 'self';"
  },
  "icons": {
    "16": "images/16x16-icon.png"
  },
  "action": {
    "default_title": "Test Plugin",
    "default_popup": "popup/popup.html"
  }
}

popup/popup.html

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta http-equiv="Content-Security-Policy" 
        content="script-src 'self' 'unsafe-inline'"> 
    <title>Hello Popup!</title>
    
  </head>
  <body>
 Test Popup
  </body>
  <script>src="./popup.js"</script>
</html>

popup.js


const randomVariable = 7;

I've tried every variation of the unsafe-inline or the hash in both the html and the manifest (which was suggested in other posts) - the error never varies.

Is this security baked into my browser settings somehow? It seems absurdly difficult to run js locally - I'm not pulling in a cross-orgin code or anything like that. Surely I'm missing something basic?

And what is a 'nonce'?

Upvotes: 0

Views: 1061

Answers (0)

Related Questions