39

My Chrome app has the following manifest:

{
    "name": ",
    "version": "1.0.3",
    "manifest_version": 2,
    "description": "Chrome Extension for.",
    "icons": {
        "16": "images/test.png",
        "19": "images/test.png",
        "256": "images/test.png"
    },
    "app": {
        "background": {
            "scripts": [
                "background.js"
            ]
        }
    },

    "sandbox": {
        "js": [
            "lib/test-api.js"
        ]
    },
    "permissions": [
        "<all_urls>",
        "notifications",
        "storage",
        "videoCapture"
    ]
}

I have a script file that runs eval. I have read about CSP and sandboxing, but I still get this error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Xan
  • 74,770
  • 16
  • 179
  • 206

2 Answers2

46

Have you tried adding the CSP line to your manifest as per your CSP link?

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
brucek
  • 726
  • 6
  • 9
  • 3
    Yes but i use app package app –  Jan 15 '14 at 07:17
  • Sorry, not sure if I understand exactly... From reading about [packaged apps](https://developers.google.com/chrome/web-store/articles/apps_vs_extensions?csw=1) it looks like that shouldn't matter. Is your eval in the background.js, the test-api.js, or both? – brucek Jan 15 '14 at 07:32
  • 4
    @brucek I think the error he's referring to is '`content_security_policy' is only allowed for extensions and legacy packaged apps, but this is a packaged app.'` In apps, you'll need to use sandboxing to use eval. See https://developer.chrome.com/apps/contentSecurityPolicy – mikemaccana Jun 16 '14 at 10:32
  • Yep thx, I figured that out eventually ;-) @rob-w has the answer below – brucek Jul 09 '14 at 05:50
  • Presumably there is a reason why this is a "bad thing". – Andy Hayden Oct 18 '14 at 06:45
36

What you're showing is not a Chrome extension, but a Chrome app.
Chrome extensions will let you relax the default Content Security Policy; Chrome Apps won’t. (source: CSP docs for Chrome apps; note: this page is different from CSP docs for Chrome extensions).

The next line applies to apps and extensions:

  • The Content security policy does not apply to a specific script, but a whole page. So, you can only declare a sandbox for a whole page (using the sandbox.pages key in the manifest file). You cannot use "js" as a key in sandbox.

In a Chrome extension, the CSP can be relaxed, e.g. allowing eval using the following policy:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

To turn your app in an extension: Do not use the apps key, but use a background key. With the following manifest, you'll be able to use eval in your background page:

{
    "name": "Whatever",
    "version": "1.0.3",
    "manifest_version": 2,
    "background": {
        "scripts": [
            "background.js"
        ]
    },
    "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}

(omitted icons / permissions because they're not relevant for the example; omitted sandbox because it's not needed)

Rob W
  • 341,306
  • 83
  • 791
  • 678