google maps api script does load due to content security policy

Om3ga picture Om3ga · Nov 5, 2012 · Viewed 22.3k times · Source

I am making a google chrome extension where I want to use google maps. The problem is that when I run my script then it gives me this error

Refused to load script from 'https://maps.googleapis.com/maps/api/js?key=XXXXXXXXXXXXXXXX&sensor=false' because of Content-Security-Policy.

Here is my manifest file

{
  "name": "Name",
  "version": "1.0",
  "manifest_version": 2,
  "background": { 
    "scripts": [
      "js/script.js"
    ] 
  },
  "description": "Desc",
  "browser_action": {
    "default_icon": "images/icon.png",
    "default_title": "Title",
    "default_popup": "html/popup.html"
  },
  "permissions": [ 
    "http://*/",
    "http://*.google.com/",
    "http://localhost/*"
  ],
  "content_security_policy": "script-src 'self' http://google.com; object-src 'self'"

}

And I am adding my scripts like this

<script src="../js/libs/jquery.js"></script>
  <script type="text/javascript" src="https://maps.googleapis.com/maps/api/js?key=XXXXXXXXXXXXXX&sensor=false"></script>
  <script src="../js/plugins/easing.js"></script>
  <script src="../js/script.js"></script>

Why am I getting that error again and again? Please help...

Update one

I added these two permissions to manifest file but still not working

"https://maps.google.com/*",
"https://maps.googleapis.com/*",

Update two

I also used this sort of content_security_policy

"content_security_policy": "default-src 'none'; style-src 'self'; script-src 'self'; connect-src https://maps.googleapis.com; img-src https://maps.google.com"

But above doesnt work for me either

Answer

Syed Ghulam Akbar picture Syed Ghulam Akbar · Nov 5, 2012

I think the problem here is that you have not correctly set the content security policy for Google Maps URL. You should change your "content_security_policy" in manifest file to something like this:

"content_security_policy": "script-src 'self' https://maps.googleapis.com https://maps.gstatic.com; object-src 'self'"

This simply means that you are allowing to run script from the self/current page, and from the "https://maps.googleapis.com".

Try this, and see if it helps.