Firebase Chrome Extension - Refused to execute inline script because it violates the following Content Security Policy directive

Question

Getting this error when trying to run this as an extension, any thoughts??

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://cdn.firebase.com https://*.firebaseio.com". Either the 'unsafe-inline' keyword, a hash ('sha256-SDElGe7fYNO4sezC+axo6JiF5P5uY6qAiaLldxOYZXk='), or a nonce ('nonce-...') is required to enable inline execution.

html

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <title></title>

    <script src='https://cdn.firebase.com/js/client/2.2.1/firebase.js'></script>
    <script>
      // Initialize Firebase
      var config = {
        apiKey: "**",
        authDomain: "**",
        databaseURL: "**",
        projectId: "**",
        storageBucket: "**",
        messagingSenderId: "**"
      };
      firebase.initializeApp(config);
    </script>

    <script defer type="text/javascript" src="js/app.js"></script>

  </head>
  <body>

    <div id="myApp">
        <input id="name" type="text" name="name" placeholder="Name"> <br>
        <input id="birth" type="text" name="birth" placeholder="Birthdate">
        <input id="submit" type="submit" value="Go" name="submit">
    </div>

    <div id="births" class="births"></div>

  </body>
</html>

Manifest.json

{
  "name": "Test",
  "manifest_version": 2,
  "version": "0.1",
  "content_security_policy": "script-src 'self' https://cdn.firebase.com https://*.firebaseio.com; object-src 'self'",


  "browser_action": {
  "default_title":"Test",
  "default_popup": "index.html"
  },
}

Answer 1

You can't load code from the web, only from a package. This is because hackers could use that Javascript as a home base as shown here.

Rescource(s): https://developer.chrome.com/extensions/contentSecurityPolicy