I'm making a chrome extension however I seem to get the following error when I try to fire up an onclick() event.
Refused to load the script 'https://apis.google.com/js/client.js?onload=handleClientLoad' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:"
and
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
This is my manifest.json :
{
"manifest_version": 2,
"name": "SECURE",
"description": "this extension offers secure communication for GMAIL users",
"version": "1.0",
"browser_action": {
"default_icon": "resources/icon16.png",
"default_popup": "popup.html",
"default_title": "Click here!"
},
"background":{
"scripts":["background.js"]
},
"content_scripts": [
{
"matches": ["http://*/*", "https://*/*"],
"js":["myscript.js"],
"run_at": "document_end"
}
],
"permissions": ["identity", "https://accounts.google.com/*", "https://www.googleapis.com/*"],
"oauth2": {
"client_id": "975410329966.apps.googleusercontent.com",
"scopes": [
"<all urls>",
"https://www.googleapis.com/auth/drive",
"https://mail.google.com/",
"https://www.googleapis.com/auth/gmail.login",
"https://www.googleapis.com/auth/gmail.compose",
"https://www.googleapis.com/auth/gmail.readonly",
"https://www.googleapis.com/auth/gmail.send"
],
"content_security_policy":"script-src 'self' 'unsafe-inline' 'unsafe eval' https://apis.google.com/js/client.js?; object-src 'self'"
}
}
Any help towards fixing this error would greatly be appreciated.
By default Content Security Policy, inline scripts won't be loaded and only local script can be loaded. You could relax the default policy by:
Inline Script. Take a look at Official Guide, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. See Hash usage for elements for an example.
But I believe a better way would extract this logic to a separate script and not use inline script.
Remote Script. You could whitelist script resources https://apis.google.com/js/client.js?onload=handleClientLoad
by the following section in manifest.json
"content_security_policy":"script-src 'self' https://apis.google.com; object-src 'self'"
Also, I believe a better way could be downloading the remote client.js
and include it as a local script.
Please be aware as per the description of Inline Script, unsafe-inline
no longer works.
Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.