0

I am currently writing a chrome extension. This is the manifest:

{
  "manifest_version": 2,

  "name": "whatever",
  "short_name": "whocares",
  "description": "blabla",
  "version": "1.0.2",
  "author": "me",


 "permissions": [
    "http://ajax.googleapis.com/"
    ],
  "content_scripts": [
    {
      "matches": ["https://plus.google.com/*"],      
      "js": ["jquery-1.10.2.min.js","filter.js","settings.js","settings.html"]
    }
  ],
  "options_page": "settings.html",

  "browser_action": {
    "default_icon": "nicepic.png"
  }
}

This is the options.html page:

<html>
<head>
 <script type="text/javascript" src="settings.js"></script>
</head>
<body onload="CollectSettings()">
<h2>Options:</h2>
<form>
(some stuff)
</form>
</body>
</html>

The following error is thrown:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".

CollectSettings() is a function within the settings.js

I thought there are only JS-Limitations of that kind in background - Scripts, not on the options-Page?

Ole Albers
  • 8,715
  • 10
  • 73
  • 166
  • possible duplicate of [Content-Security-Policy error in google chrome extension making](http://stackoverflow.com/questions/11045653/content-security-policy-error-in-google-chrome-extension-making) – Teepeemm Sep 02 '15 at 13:33
  • This is 2 years old and has a unique answer. Shiuld not be marked as duplicate imho. – Ole Albers Sep 02 '15 at 18:28

1 Answers1

2

The Chrome Extensions Content Security Policy (CSP), which among other things prevents the execution of inline JavaScript, applies to the background-page and all views of an extension (including any popup's).

In fact, the example used in the section Inline JavaScript will not be executed is a typical case where those restrictions are effective on a browser-action popup.

gkalpak
  • 47,844
  • 8
  • 105
  • 118