Content scripts are not working with manifest version 3

2,563 views
Skip to first unread message

Sangeetha Panneerselvam

unread,
Sep 7, 2021, 10:39:59 AM9/7/21
to Chromium Extensions
Hi,

I am working on chrome extension development - manifest migration v2 to v3. On this migration process, injection of content scripts are not working.

With manifest v2, we didn't use any content-security-policy like script-src , unsafe-inline , so on, anywhere in the code.

Below is the error, I got :
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-4Ae2JojEsWUVPDp**********GC57PN0wjayTHrMcBs='), or a nonce ('nonce-...') is required to enable inline execution.


wOxxOm

unread,
Sep 7, 2021, 12:07:44 PM9/7/21
to Chromium Extensions, sangee...@gmail.com
Judging by the error message you either create a DOM script element or use javascript in an inline attribute like onclick in a page with a strict CSP. This is not injection of a content script. Show us the code.

Sangeetha Panneerselvam

unread,
Sep 7, 2021, 12:21:55 PM9/7/21
to Chromium Extensions, wOxxOm, Sangeetha Panneerselvam
function executeInPage3(code){
  let mid = +new Date() + Math.floor(Math.random() * 1000);
  function onWindowMessage3(e) {
    //**console.log("Message received 3",e)
    
  }
    window.addEventListener("message", onWindowMessage3);
    
  
    code =
      "(function(){\n" +
      "  let fun = " +
      code +
      ";\n" +
      "  fun(function(result){\n" +
      "    let msg = {}\n" +
      "    msg.id = " +
      mid +
      "\n" +
      "    msg.result = result\n" +
      '    window.postMessage(msg, "*")\n' +
      "  })\n" +
      "}())";
  
      let script = document.createElement("script");
      script.text = code;
      document.head.appendChild(script);     <----------  This is where I am getting the error on appending script
}

wOxxOm

unread,
Sep 7, 2021, 12:49:01 PM9/7/21
to Chromium Extensions, sangee...@gmail.com, wOxxOm
Yeah, dynamically constructed code isn't allowed in ManifestV3.

You'll have to use a script element with src property pointing to a js file in the extension package exposed in manifest.json via web_accessible_resources. It won't allow you to embed the message id inside the code though so you'll have to use a predefined name.

In the future we will be able to use chrome.scripting.registerContentScripts to register scripts to run in the page context (aka "main world") and provide parameters for them, see https://crbug.com/1054624 (currently it can only register content scripts but not page scripts).

Related feature request: https://crbug.com/1207006

Reply all
Reply to author
Forward
0 new messages