0

I am developing a chrome App that would serve as an Arduino code editor based on Cylon project. A js script (let's call it output.js) is generated incorporating the led toggling logic or whatever else we want to achieve with the arduino and compiling it with other node dependencies using browserify. In their chrome extension example they statically reference this script in index.html.

Since, I am working on an editor that will allow users to write arbitrary code to work on arduino, I am generating the contents for output.js dynamically. I have gotten to a point where I can successfully generate contents of output.js and I have written a function that injects that data into a script tag. However, Google Chrome throws an error:

Refused to execute inline script because it violates the following Content Security Policy directive: 
"default-src 'self' blob: filesystem: chrome-extension-resource:". 
Either the 'unsafe-inline' keyword, a hash ('sha256-Mugizlz7AFKJ2hm6UA9ySY/31cKCVhLaEX9/QYpJIsk='), 
or a nonce ('nonce-...') is required to enable inline execution. 
Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

So, I realize I need to execute inline javascript which could be a potential security vulnerability. I know that content scripts are designed specifically to inject custom JS or CSS into web pages but they work in context of a website or web address.

I want to modify the dom and inject custom JS in a standalone chrome App and not a chrome extension that works in context of some websites or tabs. From whatever little research I did on the subject, I guess content scripts are not a valid concept for chrome apps. How do I then inject javascript into the DOM for a chrome App. What are the possible alternatives to content scripts I have in this situation?

Vivek Pradhan
  • 4,777
  • 3
  • 26
  • 46
  • Chrome apps may declare a [sandboxed page](https://developer.chrome.com/apps/manifest/sandbox). – wOxxOm May 08 '17 at 16:21
  • You can try the [solution in this github forum](https://github.com/angular/protractor/issues/2579) where the dev created a function that accepts the URL of the JS file to be executed. Check this [code samples](https://gist.github.com/danharper/8364399) for more code reference. – ReyAnthonyRenacia May 08 '17 at 16:27

1 Answers1

0

It may help to make a manifest.json file, that includes the hash in the error message.

For instance, your manifest.json may look like this:

{
  "manifest_version": 2,
  "name": "arduino editor",
  "version": "1.0.0",
  "minimum_chrome_version": "46",
  "content_security_policy": "script-src 'self' 'sha256-Mugizlz7AFKJ2hm6UA9ySY/31cKCVhLaEX9/QYpJIsk='",
  "background": {
    "page": "background.html"
  }
}

See the following post for more in-depth info.

Chrome Extension - Content Security Policy - executing inline code

Community
  • 1
  • 1
Jeff Huijsmans
  • 1,388
  • 1
  • 14
  • 35
  • Thanks for the quick reply Jeff. I have a similar `manifest.json`, but the contents of `output.js` can dynamically change so I can not hardcode a `sha256` signature in Manifest as it would be invalid as soon as the script is modified. – Vivek Pradhan May 08 '17 at 09:03
  • Can you recalculate the `sha256` in your build system? – Jeff Huijsmans May 08 '17 at 11:38
  • Even if I can Jeff, I will have to update the `manifest` with the new signature. I don't think that is a feasible option for a chrome app during run time. – Vivek Pradhan May 08 '17 at 13:28