javascript extension src-script blocked

Question

I want to create extension that would redirect me to handler:query, here is my code:

manifest.json

…
"content_security_policy": "default-src * ;script-src 'self' 'unsafe-eval' ;object-src 'self' 'unsafe-eval'"
…

background.html

    <!DOCTYPE html>
    <html>
    <head>
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <script type="text/javascript" src="background.js"></script>
    </head>
    <body>
    <button id="bttn1" onclick="search()">Search!</button>
    </body>
    </html>

but when debugging the extension, I get the error:

    Content Security Policy: The page’s settings blocked the loading of a 
    resource at self (“script-src moz-extension://0ab93926-b987-451b-ad1d-
    c183360acd8a 'unsafe-eval'”). Source: onclick attribute on BUTTON element.

What do I do in order to fix this? My browser is Firefox Developer Edition 58.0b6 (64-bit)

Answer 1

Firefox applies a default Content Security Policy to extensions which disallows inline JavaScript.

You can:

• Instead of onclick="search()" inline in your HTML, addEventListener from the .js file instead.
• Add the hash of your inline script to the extension's Content Security Policy.

For the latter approach, hash your inline script. Yours, for example, is search(). There's a handy online tool for this at ReportURI. Insert the hash into your manifest.json like so:

"content_security_policy": "script-src 'self' 'sha256-55C+spmnlCUR5KgSippSbxcEepdItE3dLSUgcw1if/U='; object-src 'self';",