3

I am using Google calendar API and trying to load the calendar api js script in the background page and receiving error as content scripts

Refused to load the script 'https://apis.google.com/js/api.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Tried changing the manifest.json and setting the permissions and content security policy to evaluate unsafe-eval. I am using webpack and saw this post (Chrome extension compiled by Webpack throws `unsafe-eval` error) and change the webpack mode to production and added this to my webpack configuration file devtool = 'cheap-module-eval-source-map'; The following are the changes made to my manifest.json

1. "permissions": ["https://*.google.com/"],
"content_security_policy": "script-src 'self' https://www.google.com; object-src 'self'",

2. "permissions": ["background"],
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
Vishnu Darshan
  • 348
  • 1
  • 2
  • 9
  • Add `https://apis.google.com` to `content_security_policy` value. – wOxxOm Oct 28 '20 at 07:21
  • Do you end up with multiple CSP headers? In that case all of them need to allow apis.googl.com in script-src for the script to load. – Halvor Sakshaug Oct 28 '20 at 09:36
  • now it is showing ` 'content_security_policy.extension_pages': Insecure CSP value "https://apis.google.com/js/api.js" in directive 'script-src'.` – Sunil Garg Apr 25 '22 at 13:09
  • @wOxxOm please can you explain how we can add It, getting an error `'content_security_policy.extension_pages': Insecure CSP value "https://apis.google.com" in directive 'script-src'. Could not load manifest.` – Zeeshan Ahmad Khalil Sep 05 '22 at 13:04
  • @ZeeshanAhmadKhalil I get the same error. Have you gotten it resolved? – AlwaysLearning Jul 20 '23 at 11:07

0 Answers0