Javascript – Chrome Extension “Refused to load the script because it violates the following Content Security Policy directive”

google-chromegoogle-chrome-extensionhtmljavascriptjquery

I'm trying to create a Chrome extension, but none of my JS works. The console shows this error:

Refused to load the script
'https://ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js'
because it violates the following Content Security Policy directive:
"script-src 'self' blob: filesystem: chrome-extension-resource:".

Why is it blocking my jQuery from running?

Best Answer

As explained on the Chome website, there is a Content Security Policy preventing your script to load remote script:

A relaxed policy definition which allows script resources to be loaded from example.com over HTTPS might look like:

"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

So in your case, the manifest.json should contain:

 {
  "name": "My Extension",
  "manifest_version": 2,
  "background":{
     "scripts": [...]
  },
  "content_security_policy": "script-src 'self' https://example.com; object-src 'self'",
 }

Important note

As others have pointed out, this is not recommended, and you should put all your CSS in a dedicated file. See the OWASP explanation on why CSS can be a vector for attacks (kudos to @ KayakinKoder for the link).

Jquery – Extension refuses to load the script due to Content Security Policy directive

In a Chrome extension, external script sources must be explicitly allowed by the extension's content security policy (CSP) in your manifest:

If you have a need for some external JavaScript or object resources, you can relax the policy to a limited extent by whitelisting secure origins from which scripts should be accepted...

A relaxed policy definition which allows script resources to be loaded from example.com over HTTPS might look like:
"content_security_policy":"script-src 'self' https://example.com; object-src 'self'"

Scripts can only be loaded into an extension over HTTPS, so you must load the jQuery CDN resource over HTTPS:

<script src="https://ajax.googleapis.com/..."></script>

And add a modified CSP to your manifest to allow that HTTPS resource:

{
    "manifest_version": 2,
    "name": "One-click Kittens",
    "description": "This extension demonstrates a 'browser action' with kittens.",
    "version": "1.0",
    "browser_action": {
        "default_icon": "icon.png",
        "default_popup": "popup.html"
    },
    "content_security_policy": "script-src 'self' https://ajax.googleapis.com; object-src 'self'"
}

And even better solution for your particular case, however, would be to include jQuery in your extension locally, instead of loading from the Internet (for example, your extension currently won't work offline). Simply include a copy of jQuery in your extension folder and refer to it with a relative path in your script tag. Assuming your jQuery library and HTML popup file are in the same subdirectory, simply do:

<script src="jquery-x.y.z.min.js"></script>

Best Answer

Related Solutions

Javascript – Refused to apply inline style because it violates the following Content Security Policy directive

Important note

Jquery – Extension refuses to load the script due to Content Security Policy directive

Related Topic