I installed the CSP extension to boot from localhost (theoretically):
"content_security_policy": "script-src 'self' 'unsafe-eval' https://localhost:* ws://localhost:* https://*.mysite.com; object-src 'self'",
I have a web_accessible_resource that is trying to download and execute a remote script:
<html> <head> <title>Sign in</title> </head> <body> <script src="./auth.js"></script> </body> </html>
(simplified) auth.js content:
(function(doc, script) { script = doc.createElement('script') script.type = 'text/javascript' script.async = true script.src = 'https://localhost:3333/remote-server/auth.js' doc.getElementsByTagName('head')[0].appendChild(script) }(document))
However, I get the following error:
Refused to load the script 'https://localhost:3333/remote-server/auth.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'".
This is not like a CSP extension. I tried adding the following HTML to the HTML directly, but still not a joy.
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-eval' https://localhost:* ws://localhost:* https://*.mysite.com">
Is there any other place that I need to specify a CSP?
UPDATE
Changing the HTML resource to load the remote script directly did not solve the problem either:
<html> <head> <title>Sign in</title> <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://localhost:* ws://localhost:* https://*.mysite.com"> </head> <body> <script src="https://localhost:3333/remote-server/auth.js"></script> </body> </html>
Still leading to:
Refused to load the script 'https://localhost:3333/remote-server/auth.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'".
which still does not reference the contents of the <meta>
UPDATE 2
The page loads through
chrome.windows.create({ url: 'chrome-extension://my-extension/auth.html', type: 'popup', height: 680, width: 500 }, (windw) => console.log(windw))