Javascript – Chrome Extension “Refused to load the script because it violates the following Content Security Policy directive”

content-security-policycryptojsgoogle-chromegoogle-chrome-extensionjavascript

i try to encrypt user data by cryptojs library and send to server by ajax but the console shows the error:

Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js' because it violates the following Content Security Policy directive: "script-src 'self' https://apis.google.com 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

my manifest code contains :

"content_security_policy": "script-src 'self' https://apis.google.com 'unsafe-eval'; object-src 'self'"

how to solve this problem?

Best Answer

For those who tumble upon the same issue. I had the same and it was resolved after I updated content_security_policy to include the googleapis url I was trying to load.

My code:

<head>
...
<script src="https://maps.googleapis.com/maps/api/js?key=API_KEY;libraries=places"></script>
</head>

Needed

{
  "content_security_policy": "script-src 'self' 'unsafe-eval' https://maps.googleapis.com 'unsafe-inline'; object-src 'self'",
}

Important note

As others have pointed out, this is not recommended, and you should put all your CSS in a dedicated file. See the OWASP explanation on why CSS can be a vector for attacks (kudos to @ KayakinKoder for the link).

Content Security Policy “data” not working for base64 Images in Chrome 28

According to the grammar in the CSP spec, you need to specify schemes as scheme:, not just scheme. So, you need to change the image source directive to:

img-src 'self' data:;

Best Answer

Related Solutions

Javascript – Refused to apply inline style because it violates the following Content Security Policy directive

Important note

Content Security Policy “data” not working for base64 Images in Chrome 28

Related Topic