How to debug "Refused to execute inline script because of Content-Security-Policy"

[patrick clancey]

I haven't changed anything in my extension and it's stopped working with a couple of "Refused to execute inline script because of Content-Security-Policy." in the background page. I guess this started happening with the Chrome 20, update. I've tried adding "manifest_version": 1 and "content_security_policy": "default-src 'self' 'unsafe-inline'" to the manifest but no help. Not sure what to try next?

[Joshua Woodward]

Return to manifest version 2

All your js has to be in an external file, no inline script.

On Jul 8, 2012 9:03 AM, "patrick clancey" <clan...@gmail.com> wrote:

I haven't changed anything in my extension and it's stopped working with a couple of "Refused to execute inline script because of Content-Security-Policy." in the background page. I guess this started happening with the Chrome 20, update. I've tried adding "manifest_version": 1 and "content_security_policy": "default-src 'self' 'unsafe-inline'" to the manifest but no help. Not sure what to try next?

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/-/A96xCJWysK8J.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.

[PhistucK]

If you enable pausing on exceptions (the pause (II) button at the bottom toolbar of the Scripts panel), and enter -

location.reload(true)

In the console, does that provide you with more information?

☆PhistucK

On Sat, Jul 14, 2012 at 7:13 PM, Martin Bartlett <martin.j...@gmail.com> wrote:

OK, I HAVE updated MY complex extension such that it seems to work with manifest v2 CSP, but my background page still logs three "Refused to evaluate script because of Content-Security-Policy." messages on load. Bearing in mind that my small content scripts appear to work, there are no evals in any of my code, and no inline scripts or external resource fetches in the HTML pages, how do I pinpoint (in a large extension remember) what is causing this problem.

On Sunday, July 8, 2012 6:02:51 PM UTC+2, patrick clancey wrote:

I haven't changed anything in my extension and it's stopped working with a couple of "Refused to execute inline script because of Content-Security-Policy." in the background page. I guess this started happening with the Chrome 20, update. I've tried adding "manifest_version": 1 and "content_security_policy": "default-src 'self' 'unsafe-inline'" to the manifest but no help. Not sure what to try next?

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/-/SB7NUcn3WgQJ.

[Thomas Greiner]

You should also check other locations in which strings are being parsed (eval is not the only method that parses strings) such as in setTimeout and setInterval. Here's an example:

instead of:

setTimeout("alert(1);", 100);

you could write:

function myAlert() {

   alert(1);

}

setTimeout(myAlert, 100);

Furthermore you could look for JavaScript not only inside event handlers (e.g. <div onclick="alert(1);">) but also in anchor tags (e.g. <a href="javascript:alert(1);">). And don't forget to avoid var myAlert = new Function("alert(1);");.

Hope that helps.

- Thomas

PS: In case you don't know, you can find the full documentation regarding CSP changes at this URL: http://code.google.com/chrome/extensions/contentSecurityPolicy.html

On Sunday, July 8, 2012 6:02:51 PM UTC+2, patrick clancey wrote: