Refused to load the script because it violates the following Content Security Policy directive: "script-src 'self'

Question

I am trying to develop a chrome appplication in which i want to display a custom Rss feeds but feeds are not get loaded and dispalying error like above.

Error Details in which is displayed

Refused to load the script
 'https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js'
 because it violates the following Content Security Policy directive:
 "script-src 'self'
 https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js".

     Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'
 https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js". 
 jquery.min.js:35

     Refused to load the script 'https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js'
 because it violates the following Content Security Policy directive:
 "script-src 'self'
 https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js".

     Refused to load the script 'http://ajax.googleapis.com/ajax/services/feed/load?v=1.0&num=2&output=json&q=http%3A%2F%2Fblog.tax2290.com%2Ffeed%2F&hl=en&callback=jsonp1373953012503'
 because it violates the following Content Security Policy directive:
 "script-src 'self'
 https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js".

manifest.json

{
      "name": "Tax New 2290",
      "manifest_version": 2,
      "version": "1.1",
      "description": "Tax 2290",
    "web_accessible_resources": ["images/logo.png"],
      "icons": {
        "16": "icon16.png",
        "19":"icon19.png",
        "48": "icon48.png",
        "128": "icon128.png",
        "256": "icon256.png"
    },
     "browser_action":
    {
    "default_icon":"images/logo.png",
    "default_popup":"index.html"
    },

         "permissions": ["tabs", "<all_urls>","http://www.tax2290.com","http://*/*", "https://*/*","http://*.google.com/"],
        "content_security_policy": "script-src 'self' https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js; https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js; object-src 'self'"

    }

index.html

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js"></script>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script type="text/javascript" src="images/feed.js"></script>
<link rel="stylesheet" href="images/style.css" type="text/css"  />
<title>Chrome Popup</title>
</head>

feed.js

        $(function() {
                var $items = $('#vtab>ul>li');
                $items.mouseover(function() {
                    $items.removeClass('selected');
                    $(this).addClass('selected');

                    var index = $items.index($(this));
                    $('#vtab>div').hide().eq(index).show();
                }).eq(0).mouseover();
            });


    $(document).ready(function () {  
       $('#divRss2').FeedEk({
            FeedUrl: 'http://blog.tax2290.com/feed/',
            MaxCount: 2,ShowDesc: true,
            ShowPubDate: true,
            DescCharacterLimit: 250
        });
    });


   > Please tel me how could avoid these errors and load the custom RSS feeds.

Answer 1

Your "content_security_policy" has several problems.

1) The first is that you should remove the semicolon between the 1.4.1 and 1.9.1 jquery declarations. Multiple URLs should be separated with a single space only and no other characters.

2) The second is that you are trying to load this script "http://ajax.googleapis.com/ajax/services/feed/load?v=1.0&num=2&output=json&q=http%3A%2F%2Fblog.tax2290.com%2Ffeed%2F&hl=en&callback=jsonp1373953012503" but you never allow that in your CSP.

3) And thirdly, it appears you need to allow inline scripts.

I would change your "content_security_policy" to look like this:

"content_security_policy": "script-src 'self' https://ajax.googleapis.com/ 'unsafe-inline'; object-src 'self'"

'unsafe-inline' should fix the "Refused to execute inline script" error.

https://ajax.googleapis.com/ should allow both versions of jquery to load as well as your /ajarx/services/feed/load URL.

Answer 2

If you build a packaged app, you can not load external script. Your application must embed every scripts, styles or images.

Check this link to ensure you are following chrome app CSP rules: https://developer.chrome.com/extensions/contentSecurityPolicy

Answer 3

first try to remove this part from your manifest file

"content_security_policy": "script-src 'self' https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js; https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js; object-src 'self'"

then download all of your external links to a local environment folder after that reference it there.

for example download https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js to your parent folder and change your reference from

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js"></script>

to

<script src="jquery.min.js"></script>

and also I recommend moving all of your referencing from head tag to the bottom of body tag.