Javascript – Content Security Policy in Chrome App

content-security-policygoogle-chromegoogle-chrome-appjavascriptmanifest

My Chrome app has the following manifest:

{
    "name": ",
    "version": "1.0.3",
    "manifest_version": 2,
    "description": "Chrome Extension for.",
    "icons": {
        "16": "images/test.png",
        "19": "images/test.png",
        "256": "images/test.png"
    },
    "app": {
        "background": {
            "scripts": [
                "background.js"
            ]
        }
    },

    "sandbox": {
        "js": [
            "lib/test-api.js"
        ]
    },
    "permissions": [
        "<all_urls>",
        "notifications",
        "storage",
        "videoCapture"
    ]
}

I have a script file that runs eval. I have read about CSP and sandboxing, but I still get this error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is
not an allowed source of script in the following Content Security
Policy directive: "default-src 'self' chrome-extension-resource:".
Note that 'script-src' was not explicitly set, so 'default-src' is
used as a fallback.

Best Answer

Have you tried adding the CSP line to your manifest as per your CSP link?

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

Related Solutions

Javascript – Disable same origin policy in Chrome

Close chrome (or chromium) and restart with the --disable-web-security argument. I just tested this and verified that I can access the contents of an iframe with src="http://google.com" embedded in a page served from "localhost" (tested under chromium 5 / ubuntu). For me the exact command was:

Note : Kill all chrome instances before running command

chromium-browser --disable-web-security --user-data-dir="[some directory here]"

The browser will warn you that "you are using an unsupported command line" when it first opens, which you can ignore.

From the chromium source:

// Don't enforce the same-origin policy. (Used by people testing their sites.)
const wchar_t kDisableWebSecurity[] = L"disable-web-security";

Before Chrome 48, you could just use:

chromium-browser --disable-web-security

Google-chrome – Disabling Chrome cache for website development

The Chrome DevTools can disable the cache.

Right-click and choose Inspect Element to open the DevTools. Or use one of the following keyboard shortcuts:

F12
Control+Shift+i
Command+Shift+i

Click Network in the toolbar to open the network pane.
Check the Disable cache checkbox at the top.

screenshot of development tools panel

Keep in mind, as a tweet from @ChromiumDev stated, this setting is only active while the devtools are open.

Note that this will result in all resources being reloaded. Should you desire to disable the cache only for some resources, you can modify the HTTP header that your server sends alongside your files.

If you do not want to use the Disable cache checkbox, a long press on the refresh button with the DevTools open will show a menu with the options to Hard Reload or Empty Cache and Hard Reload which should have a similar effect. Read about the difference between the options to know which option to choose. The following shortcuts are available:

Command+Option+R on Mac
Control+Shift+R on Windows or Linux

long press

Best Answer

Related Solutions

Javascript – Disable same origin policy in Chrome

Google-chrome – Disabling Chrome cache for website development

Related Topic