Manifest version 2 for news reader - javascript

I'm trying to install the news reader from the chrome example extentions
but it isn't working without even making a change. so because it wants manifest v2 I added the manifest_version: 2 to the manifest and that gave me the following:
{
"name": "__MSG_name__",
"version": "1.1",
"manifest_version": 2,
"description": "__MSG_description__",
"icons": { "128": "news_icon.png" },
"browser_action": {
"default_title": "__MSG_default_title__",
"default_icon": "news_action.png",
"default_popup": "feed.html"
},
"permissions": [
"tabs",
"http://news.google.com/*",
"http://news.google.es/*"
],
"default_locale": "en"
}
But how would I update it to fix the following errors:
feed.html:75 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
feed.html:103 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
feed.html:308 Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

There's a handy guide at the Content Security Policy documentation. It also mentions that it can't be solved by modifying CSP itself in case of inline scripts.
Specifically, read the section on inline scripts.
In short, the following changes are needed in your case (based on the errors):
If there are any <script> /* some code */ </script> blocks, they need to be moved in a separate file and loaded with <script src="file.js"></script>
If there are any inline handlers like <div onclick="clickHandler()"> or <body onload="load()">, they need to be converted to addEventListener format and performed from included JS code. See the documentation for examples.
Don't hesitate to raise a bug at https://crbug.com to indicate that the sample is out of date.

Related

How to embed a bokeh js plot in a web page with CSP?

The div generated by bokeh uses inline style, giving the error Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-...'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

Chrome extension error when adding script tags to html

My problem is, when developing a chrome extension, I am getting error;
Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src 'self' blob:
filesystem: chrome-extension-resource:". Either the 'unsafe-inline'
keyword, a hash
('sha256-+BWoieEB23JsqONQi994gklHUNPq5RCtit+I45ejZPU='), or a nonce
('nonce-...') is required to enable inline execution.
When I try to add to the html.
What can I do?

how to run python script from javascript file?

I'm trying to run a python script in a chrome extension with brython and I'm stuck because of the content security policy. The only tutorial I could find recommended I set up an html file like this:
<body onLoad="">
<iframe src="C:\\hello.py" id="frame" seamless="seamless" scrolling="no"></iframe>
</body>
but an error always pops up in the console saying:
"Refused to execute inline event handler because it violates the following
Content Security Policy directive: "script-src 'self'". Either the 'unsafe-
inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required
to enable inline execution."
I have this line in my manifest file:
"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'",
but I assume it's not doing anything since people have said that the 'unsafe-inline" keyword is deprecated.
Is there any way to do this in a javascript file and not in the html, and is that a way to get around this problem? I'm really not sure what I'm doing here, so can someone please point me in the right direction?

Dynamically loading script file in background script in Chrome extension

I have loaded jQuery via the manifest.json and I now want he ability to dynamically load other local scripts (if needed).
I have tried the following
$.getScript(chrome.extension.getURL('script.js'), function () {
console.log("Script loaded")
});
But it gives this error
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-JNPQ...'), or a nonce ('nonce-...') is required to enable inline execution.
How can I fulfill what it asks for?

How to fix chrome-extension inline JavaScript invocation error?

I'm making a chrome extension however I seem to get the following error when I try to fire up an onclick() event.
Refused to load the script 'https://apis.google.com/js/client.js?onload=handleClientLoad' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:"
and
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
This is my manifest.json :
{
"manifest_version": 2,
"name": "SECURE",
"description": "this extension offers secure communication for GMAIL users",
"version": "1.0",
"browser_action": {
"default_icon": "resources/icon16.png",
"default_popup": "popup.html",
"default_title": "Click here!"
},
"background":{
"scripts":["background.js"]
},
"content_scripts": [
{
"matches": ["http://*/*", "https://*/*"],
"js":["myscript.js"],
"run_at": "document_end"
}
],
"permissions": ["identity", "https://accounts.google.com/*", "https://www.googleapis.com/*"],
"oauth2": {
"client_id": "975410329966.apps.googleusercontent.com",
"scopes": [
"<all urls>",
"https://www.googleapis.com/auth/drive",
"https://mail.google.com/",
"https://www.googleapis.com/auth/gmail.login",
"https://www.googleapis.com/auth/gmail.compose",
"https://www.googleapis.com/auth/gmail.readonly",
"https://www.googleapis.com/auth/gmail.send"
],
"content_security_policy":"script-src 'self' 'unsafe-inline' 'unsafe eval' https://apis.google.com/js/client.js?; object-src 'self'"
}
}
Any help towards fixing this error would greatly be appreciated.
By default Content Security Policy, inline scripts won't be loaded and only local script can be loaded. You could relax the default policy by:
Inline Script. Take a look at Official Guide, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. See Hash usage for elements for an example.
But I believe a better way would extract this logic to a separate script and not use inline script.
Remote Script. You could whitelist script resources https://apis.google.com/js/client.js?onload=handleClientLoad by the following section in manifest.json
"content_security_policy":"script-src 'self' https://apis.google.com; object-src 'self'"
Also, I believe a better way could be downloading the remote client.js and include it as a local script.
Please be aware as per the description of Inline Script, unsafe-inline no longer works.
Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.
I solved this by outsourcing everything into the JavaScript file.
So instead of the onclick method in the html I have in the JS file:
window.onload = function () {
document.getElementById("button").onclick = <function>;
}
You can use this instead of onclick in an external file:
document.getElementById("#divId").addEventListener("click", myFunction);

Categories