2

I'm trying to include the speedof.me library in my Chrome App to allow the user to do some bandwidth testing, but it seems that due to some security restrictions it does not allow me to load it. The error I get is:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

I couldn't really find any documentation on how to get around this. I tried both including the js file in the html:

<script src="api.js" type="text/javascript"></script>

and also dynamically loading it through javascript:

$.getScript("api.js");

Both of those result in that same error message. Per suggestions in the comments I also tried modifying the content_security_policy:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",

That doesn't work since this is a packaged app and not an extension.

I tried sandboxing as well, but I had a bunch of other chrome app api logic in that page and sandboxing disables that.

Is what I'm trying to do just not feasible for a Chrome app? This is the first one I've ever done and I inherited it from someone else that never quite finished it.

cloudwalker
  • 2,346
  • 1
  • 31
  • 69
  • can you post your manifest.json? Sounds like you're missing a property in `content_security_policy`. – peterdotjs Mar 11 '15 at 02:52
  • My manifest doesn't have content_security_policy in it at all, so it sounds like that's the problem for sure then :) I'm very new to Chrome apps and took this one over from someone that already started working on it. – cloudwalker Mar 11 '15 at 02:55
  • Although, when I try to add content_security_policy I get a warning that says: 'content_security_policy' is only allowed for extensions and legacy packaged apps, but this is a packaged app. So, is it not possible to do this in an app? – cloudwalker Mar 11 '15 at 03:00
  • For app you'll have to use [`sandboxing`](https://developer.chrome.com/apps/app_external#sandboxing) Per: https://developer.chrome.com/apps/contentSecurityPolicy. Similar question posted here: http://stackoverflow.com/questions/21130400/content-security-policy-in-chrome-app – peterdotjs Mar 11 '15 at 03:34
  • You need to show how you're trying to load it. – Xan Mar 11 '15 at 08:24

0 Answers0