Best IT Recipes

Chrome extension "Failed to evaluate string as JavaScript because" unsafe-eval "

I have an error:

Refuse to run the inline script because it violates the following content security Policy directive: "script-src 'self' chrome-extension-resource:" . Either the keyword 'unsafe-inline' , or hash ( 'sha256-...' ), or unce ( 'nonce-...' ) is required to enable inline execution.

chrome extension: //ldbpohccneabbobcklhiakmbhoblcpof/popup.html: 1

Refused to evaluate the string as JavaScript because 'unsafe-eval' not an authorized script source in the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:" .

code popup.js

 $(document).ready(function() { $.getJSON('http://.......alerts.json', function(data) { alert('HELLO'); }); });

manifest:

 { "manifest_version": 2, "name": "Alert", "description": "This extension for .", "version": "2.0", "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'", "permissions": [ "http://www.......il/" ], "browser_action": { "default_icon": "icon.png", "default_popup": "popup.html" }, "content_scripts": [ { "js": [ "jquery.min.js", "popup.js" ], "matches": [ "http://*/*", "https://*/*"] }] }

Popup:

 <!doctype html> <html> <head> <title>Getting Started Extension Popup</title> <style> body { min-width: 357px; overflow-x: hidden; } img { margin: 5px; border: 2px solid black; vertical-align: middle; width: 75px; height: 75px; } </style> <head> <script src='jquery.min.js'></script> <script src='popup.js'></script> </head> </head> <body> </body> </html>
+19
json javascript google-chrome-extension content-security-policy
Jul 17 '14 at 8:37
source share
2 answers

I got this message because Chrome no longer allows inline scripts and inline event handlers (like onClick): they need to be moved to an external JS file (like popup.js), and addEventListener () should be used to associate events with objects DOM

For example:

 <body onload="initialize()"> <button onclick="handleClick()" id="button1">

must be replaced by:

 window.addEventListener("load", initialize); document.getElementById("button1").addEventListener("click",handleClick);

In your case, I don't see JS in HTML, but there are a few things you could try:

  • move popup.js includes just before.
  • fix html (double head).
  • remove the content_scripts section from the manifest. The content scripts are supposed to run against the content of the page; this is not a JS file included in the popup window of the page or browser. The browser action section should be sufficient.

See Explanation of V2 Extension Extensions

+12
Aug 20 '14 at 2:06
source share

I had a very similar problem. I did not use any built-in scripts or Inline Event Handlers, but still got this error. It turns out that jQuery internally tries to evaluate the response of such queries, which is not allowed in Chrome extensions. In my case, I used $.ajax() with dataType: 'json' . I solved the problem by changing dataType to text and then manually JSON.parse() JSON using JSON.parse() .

It is also worth mentioning that most jQuery APIs try to execute the scripts included in this html line when parsing, which causes similar errors when used in the Chrome extension. In such cases, explicit escaping of scripts in the responses is required. Here is a quote from the jQuery parseHTML() documentation:

Most jQuery APIs that accept HTML strings will run scripts that are included in HTML. jQuery.parseHTML does not run scripts in parsed HTML unless keepScripts is explicitly correct. However, it is still possible in most environments to execute scripts indirectly, for example, through an attribute. The caller must be aware of this and defend against it by clearing or avoiding any untrusted entries from sources such as a URL or cookies. For future compatibility, callers should not depend on the ability to run any script content if keepScripts is not specified or false.

Please note that these problems cause problems when used in the Chrome Extension due to the Chrome restriction on the built-in script evaluation. In general, they may not be true.

+1
Jun 04 '16 at 13:41
source share


More articles:


All Articles