0

I am currently writing a browser extension that supports Manifest-v2 and v3 which requires the CashJS library (lightweight version of JQuery) for convenience. I would like my content script content/index.js to be able to use this library content/cash.min.js but I get a CSP violation stating:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-wThdlNeRf1Fp3UGuX3Ch9caqVJ8S7Wn41fdlaVxsRDE='), or a nonce ('nonce-...') is required to enable inline execution.

Here is my manifest.json (for v3):

...
"content_scripts": [{
    ...
    "js": [
        "content/cash.min.js",
        "content/index.js"
    ]
}],
...

I have tried using content_security_policy in various ways (hashes & enabling unsafe-inline) but Chrome refuses it:

"content_security_policy": "script-src 'self' 'sha256-wThdlNeRf1Fp3UGuX3Ch9caqVJ8S7Wn41fdlaVxsRDE='; object-src 'self';"

It gives the error Invalid value for 'content_security_policy'. when attempting to load the extension. I have read this page from Mozilla as well as other posts discussing this issue but haven't found a solution that fits my needs.

This article from Chrome's documentation mentions using their sandboxing feature but it only seems to work for webpages, not the scripts themselves.

I really don't want to intercept the headers as proposed here.

Any help would be much appreciated!

Henry Le Berre
  • 910
  • 9
  • 18
  • 1
    Don't use this library as it's not compatible with extensions. Its `evalScripts` function creates a script element in the current web page, which means the code runs in [page context](/a/9517879), not in the context of the content scripts, even if you correctly relax the CSP (note that in ManifestV3 this key is an object, not a plain string, see the migration guide). – wOxxOm Jul 29 '21 at 03:39
  • Ah, that makes sense thank you! Can you suggest an alternative? – Henry Le Berre Jul 29 '21 at 04:11

0 Answers0