65

I am working on creating a Chrome Extension of an Image Cropping Widget. The code of my popup.html is as follows:

<body>
    <textarea id="widget_script" style="border:1px solid #ccc;padding:5px;width:600px" rows="5" readonly></textarea>
    <script type="text/javascript">
        var protocol=window.location.protocol;
        var host= window.location.host;
        var head=('<div id="wd_id" style="margin-bottom: 20px;"></div>
    <script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></\script>
    <script type="text/javascript" src="'+protocol+'//'+host+'Image_crop/cropimages/img_crop_widget.js'+'"><\/script>
    <script type="text/javascript">init_widget()<\/script>');
        document.getElementById("widget_script").innerHTML=head;
    </script>
</body>

The variables protocol and host take protocol and host from URL in the browser. When I tried to integrate this as a Chrome extension, it is not working. When it works perfectly, it displays following code in the textarea:

<div id="wd_id" style="margin-bottom: 20px;"></div>
<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>
<script type="text/javascript" src="http://localhost/cropimages/img_crop_widget.js"></script>
<script type="text/javascript">init_widget()</script>

I have things few things like, placing the JS code in external JS file and and also calling the file in manifest.json calling it in my popup.html, but none worked.

Can anyone tell me what I am doing wrong, or what else should I try to make it work?

starball
  • 20,030
  • 7
  • 43
  • 238
V15HM4Y
  • 1,757
  • 4
  • 26
  • 40

4 Answers4

102

From the Chrome extension CSP docs:

Inline JavaScript will not be executed. This restriction bans both inline <script> blocks and inline event handlers (e.g. <button onclick="...">).

You cannot have inline scripts in your extension HTML like:

<script>alert("I'm an inline script!");</script>

<button onclick="alert('I am an inline script, too!')">

Rather, you must place your script into a separate file:

<script src="somescript.js"></script>
apsillers
  • 112,806
  • 17
  • 235
  • 239
  • 2
    How do I invoke "alert" in the "somescript.js" from the html button? – zezba9000 Sep 03 '14 at 08:44
  • 2
    Never mind found: https://developer.chrome.com/extensions/tut_migration_to_manifest_v2#inline_scripts – zezba9000 Sep 03 '14 at 08:46
  • Relaxing the default policy doesn't seem to work at all in Chrome v70.0.3538.77 https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing – lasec0203 Nov 05 '18 at 05:54
32

If you are using React with create-react-app:

  1. create a .env file in project root

  2. Add variable as follows: INLINE_RUNTIME_CHUNK=false

  3. Build the project again and load the extension again.

Source

dasfdsa
  • 7,102
  • 8
  • 51
  • 93
13

You have to add content_security_policy to your manifest.json file:

"content_security_policy": "script-src 'self' 'sha256-B+Qe/KNUDtGDd/m1g5ycAq1DgpLs9ubKmYTlOHBogC8='; object-src 'self'"

You will find the hash from console.

enter image description here

Bartleby
  • 1,144
  • 1
  • 13
  • 14
emon
  • 1,629
  • 1
  • 17
  • 18
  • 21
    what is the sha256-B+Qe/KNUDtGDd/m1g5ycAq1DgpLs9ubKmYTlOHBogC8= and where does it come from? It seems to change everytime I run my application. – Karl Merecido Oct 05 '18 at 15:43
0

I just ran into this issue as I was developing an extension. I removed the extension and loaded it again which made the error message disappear.

Hatem Jaber
  • 2,341
  • 2
  • 22
  • 38
  • Same here, but this used to work, now it happens multiple times a day, and have to remove & add it every time. (It only happens within the popup.html though) – TrySpace Aug 04 '22 at 09:07