Re: [crx] Content Security Policy directive [help]

7,101 views
Skip to first unread message

John J Barton

unread,
Jul 19, 2012, 5:41:37 PM7/19/12
to Amit Gupta, chromium-...@chromium.org


On Tue, Jul 17, 2012 at 10:38 PM, Amit Gupta <amitgu...@gmail.com> wrote:
Dear developers,


I have a pop-up.html with following contents:

<p onclick="document.alert('hi')"> test</p>
<iframe src="http://google.com" height=600 width=600>test1</iframe>

These two lines are giving me following two messages:

Refused to display document because display forbidden by X-Frame-Options.
2Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".
Could you please point me to some resource to understand this issue and fix?


you will have to put the iframe in to an HTTPS server or in to your extension.

jjb
 

With thanks and regards,
Amit

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/-/R2FROLvVCEYJ.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.

Adam Barth

unread,
Jul 19, 2012, 5:44:47 PM7/19/12
to Amit Gupta, chromium-...@chromium.org
On Tue, Jul 17, 2012 at 10:38 PM, Amit Gupta <amitgu...@gmail.com> wrote:
Dear developers,


I have a pop-up.html with following contents:

<p onclick="document.alert('hi')"> test</p>
<iframe src="http://google.com" height=600 width=600>test1</iframe>

These two lines are giving me following two messages:

Refused to display document because display forbidden by X-Frame-Options.
2Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".
Could you please point me to some resource to understand this issue and fix?

There are two problems:

1) The onclick attribute is an inline event handler.  You'll need to move the code into an external script file and then use addEventListener to attach the event.  See "Inline JavaScript will not be executed" in http://code.google.com/chrome/extensions/contentSecurityPolicy.html

2) The google.com home page refuses to be displayed inside an iframe.  This isn't specifically related to extensions or Content-Security-Policy.  You'd have the same experience with a normal web page.

Adam



Reply all
Reply to author
Forward
0 new messages