Content Security Policy in Chrome App

user1968030 picture user1968030 · Jan 15, 2014 · Viewed 44k times · Source

My Chrome app has the following manifest:

{
    "name": ",
    "version": "1.0.3",
    "manifest_version": 2,
    "description": "Chrome Extension for.",
    "icons": {
        "16": "images/test.png",
        "19": "images/test.png",
        "256": "images/test.png"
    },
    "app": {
        "background": {
            "scripts": [
                "background.js"
            ]
        }
    },

    "sandbox": {
        "js": [
            "lib/test-api.js"
        ]
    },
    "permissions": [
        "<all_urls>",
        "notifications",
        "storage",
        "videoCapture"
    ]
}

I have a script file that runs eval. I have read about CSP and sandboxing, but I still get this error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Answer

brucek picture brucek · Jan 15, 2014

Have you tried adding the CSP line to your manifest as per your CSP link?

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"