1

this answer suggests adding shaw-256 base 64 encode string of source code under content_script_policy in manifest.json. What should I encode exactly? Complete content.js or only myfunction() in the below snippet or something else?

My content.js is something like this

myfunction(var1,var2){
  //do some thing here
}

var module = `<a href=${url} onclick="myfunction(var1,var2)">Lorem ipsum is a dummy text.Lorem ipsum is a dummy texxt.Lorem ipsum is a dummy texxt.</a>`

somedom.append(module)
Bharath gedela
  • 11
  • 4
  • Instead of using HTML simply construct the `a` element using document.createElement and then assign a.onclick = myfunction. It will correctly reference your content script's function. – wOxxOm Jan 07 '19 at 18:26
  • Since you're calling this piece of code `content.js`, presumably this is a content script. _They are not bound by `content_security_policy` in the manifest._ – Xan Jan 08 '19 at 12:41

1 Answers1

1

Inline code execution is not possible but you can add dynamic elements by using this

injectBtn() {
const link = document.createElement("button");
link.innerHTML = "BTN";
link.className = "btn1";

link.addEventListener("click", () => {
  this.injectTemplate();
});

return document.querySelector("#ipd-leftnav").appendChild(link);
 }
}

Hope this help

Adnan
  • 1,589
  • 11
  • 17
  • as per documentation (https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-inline-script) inline execution of javascript is possible if you provide base64-encoded hash of the source code. I am confused about source code here in my case. – Bharath gedela Jan 08 '19 at 13:44
  • Bharath gedela, there's no point in doing this since the attribute will point to a page function, not to the content script (except for Chrome 71 which is buggy but that's a different story). – wOxxOm Jan 09 '19 at 04:15