The div generated by bokeh uses inline style, giving the error Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-...'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
My problem is, when developing a chrome extension, I am getting error;
Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src 'self' blob:
filesystem: chrome-extension-resource:". Either the 'unsafe-inline'
keyword, a hash
('sha256-+BWoieEB23JsqONQi994gklHUNPq5RCtit+I45ejZPU='), or a nonce
('nonce-...') is required to enable inline execution.
When I try to add to the html.
What can I do?
I'm trying to run a python script in a chrome extension with brython and I'm stuck because of the content security policy. The only tutorial I could find recommended I set up an html file like this:
<body onLoad="">
<iframe src="C:\\hello.py" id="frame" seamless="seamless" scrolling="no"></iframe>
</body>
but an error always pops up in the console saying:
"Refused to execute inline event handler because it violates the following
Content Security Policy directive: "script-src 'self'". Either the 'unsafe-
inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required
to enable inline execution."
I have this line in my manifest file:
"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'",
but I assume it's not doing anything since people have said that the 'unsafe-inline" keyword is deprecated.
Is there any way to do this in a javascript file and not in the html, and is that a way to get around this problem? I'm really not sure what I'm doing here, so can someone please point me in the right direction?
I have loaded jQuery via the manifest.json and I now want he ability to dynamically load other local scripts (if needed).
I have tried the following
$.getScript(chrome.extension.getURL('script.js'), function () {
console.log("Script loaded")
});
But it gives this error
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-JNPQ...'), or a nonce ('nonce-...') is required to enable inline execution.
How can I fulfill what it asks for?
I'm making a chrome extension however I seem to get the following error when I try to fire up an onclick() event.
Refused to load the script 'https://apis.google.com/js/client.js?onload=handleClientLoad' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:"
and
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
This is my manifest.json :
{
"manifest_version": 2,
"name": "SECURE",
"description": "this extension offers secure communication for GMAIL users",
"version": "1.0",
"browser_action": {
"default_icon": "resources/icon16.png",
"default_popup": "popup.html",
"default_title": "Click here!"
},
"background":{
"scripts":["background.js"]
},
"content_scripts": [
{
"matches": ["http://*/*", "https://*/*"],
"js":["myscript.js"],
"run_at": "document_end"
}
],
"permissions": ["identity", "https://accounts.google.com/*", "https://www.googleapis.com/*"],
"oauth2": {
"client_id": "975410329966.apps.googleusercontent.com",
"scopes": [
"<all urls>",
"https://www.googleapis.com/auth/drive",
"https://mail.google.com/",
"https://www.googleapis.com/auth/gmail.login",
"https://www.googleapis.com/auth/gmail.compose",
"https://www.googleapis.com/auth/gmail.readonly",
"https://www.googleapis.com/auth/gmail.send"
],
"content_security_policy":"script-src 'self' 'unsafe-inline' 'unsafe eval' https://apis.google.com/js/client.js?; object-src 'self'"
}
}
Any help towards fixing this error would greatly be appreciated.
By default Content Security Policy, inline scripts won't be loaded and only local script can be loaded. You could relax the default policy by:
Inline Script. Take a look at Official Guide, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. See Hash usage for elements for an example.
But I believe a better way would extract this logic to a separate script and not use inline script.
Remote Script. You could whitelist script resources https://apis.google.com/js/client.js?onload=handleClientLoad by the following section in manifest.json
"content_security_policy":"script-src 'self' https://apis.google.com; object-src 'self'"
Also, I believe a better way could be downloading the remote client.js and include it as a local script.
Please be aware as per the description of Inline Script, unsafe-inline no longer works.
Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.
I solved this by outsourcing everything into the JavaScript file.
So instead of the onclick method in the html I have in the JS file:
window.onload = function () {
document.getElementById("button").onclick = <function>;
}
You can use this instead of onclick in an external file:
document.getElementById("#divId").addEventListener("click", myFunction);