Refused to execute inline script because it violates the following Content Security Policy

[Vanessa Dias]

Hello Team,

Could you please help me out with this issue.

Adding my manifest code

"content_security_policy": "script-src  'self' 'unsafe-eval' https://www.cryptonator.com/ui/js/widget/calc_widget.js ; object-src 'self';  style-src-elem 'unsafe-inline' https://fonts.googleapis.com/css2 'self'",

Getting this error.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://www.cryptonator.com/ui/js/widget/calc_widget.js". Either the 'unsafe-inline' keyword, a hash ('sha256-Bj5VSgNO84sPVDa6/y8jcEMEjQH4eaMNskYgUyuIgwk='), or a nonce ('nonce-...') is required to enable inline execution.

[hrg...@gmail.com]

You have to specify "unsafe-inline" not "unsafe-eval" in order to run inline scripts.

[Vanessa Dias]

I removed the "unsafe-eval" and updated "unsafe-inline" the script still not working.

Can we use any widget in the chrome extension? does that cause and security or policies issue

[Simeon Vincent]

I removed the "unsafe-eval" and updated "unsafe-inline" the script still not working.

The original error message you included recommended using "unsafe-inline". What error are you receiving now?

It looks like you're currently supplying the full URL of the file you want to allow rather than just the domain. That may be why your CSP is not behaving as expected.

Can we use any widget in the chrome extension? does that cause and security or policies issue

What do you mean by "widget"? That's not a web platform or extension concept, so I can't answer that question without more context. If you are asking about including JavaScript files that are not bundled with your in a Manifest V2 Chrome extension, yes. 

Including remote scripts can absolutely cause security issues; that's why we don't allow this kind of CSP modification in Manifest V3 extensions and have additional policies disallowing script injection.

Simeon - @dotproto

Chrome Extensions DevRel

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/b1504104-2280-4173-9fba-7df49f82c823n%40chromium.org.

[Vanessa Dias]

Hello Simeon,

I am getting this error message

"content_security_policy': Ignored insecure CSP value "'unsafe-inline'" in directive 'script-src'."

[Simeon Vincent]

Googling that error message turned up this StackOverflow post, which links developer.chrome.com/extensions/contentSecurityPolicy#relaxing. Unfortunately, that page was deleted in the migration to our new doc server, so I used the Wayback Machine to fetch an old version of the page, which states:

Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.

As of Chrome 46, inline scripts can be allowed by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). See Hash usage for <script> elements for an example.

Simeon - @dotproto

Chrome Extensions DevRel

[Vanessa Dias]

Hello Simeon,

Thanks for sharing this article developer.chrome.com/extensions/contentSecurityPolicy#relaxing. It really help me fix this error.