Chrome showing error as: Refused to execute inline script because of Content-Security-Policy

JqueryGoogle ChromeGoogle Chrome-Extension

Jquery Problem Overview

I am working on creating a Chrome Extension of an Image Cropping Widget. The code of my popup.html is as follows:

<body>
    <textarea id="widget_script" style="border:1px solid #ccc;padding:5px;width:600px" rows="5" readonly></textarea>
    <script type="text/javascript">
        var protocol=window.location.protocol;
        var host= window.location.host;
        var head=('<div id="wd_id" style="margin-bottom: 20px;"></div>
    <script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></\script>
    <script type="text/javascript" src="'+protocol+'//'+host+'Image_crop/cropimages/img_crop_widget.js'+'"><\/script>
    <script type="text/javascript">init_widget()<\/script>');
        document.getElementById("widget_script").innerHTML=head;
    </script>
</body>

The variables protocol and host take protocol and host from URL in the browser. When I tried to integrate this as a Chrome extension, it is not working. When it works perfectly, it displays following code in the textarea:

<div id="wd_id" style="margin-bottom: 20px;"></div>
<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>
<script type="text/javascript" src="http://localhost/cropimages/img_crop_widget.js"></script>
<script type="text/javascript">init_widget()</script>

I have things few things like, placing the JS code in external JS file and and also calling the file in manifest.json calling it in my popup.html, but none worked.

Can anyone tell me what I am doing wrong, or what else should I try to make it work?

Thanks in advance...

Jquery Solutions

Solution 1 - Jquery

From the Chrome extension CSP docs:

> Inline JavaScript will not be executed. This restriction bans both inline <script> blocks and inline event handlers (e.g. <button onclick="...">).

You cannot have inline scripts in your extension HTML like:

<script>alert("I'm an inline script!");</script>

<button onclick="alert('I am an inline script, too!')">

Rather, you must place your script into a separate file:

<script src="somescript.js"></script>

Solution 2 - Jquery

If you are using React with create-react-app:

  1. create a .env file in project root

  2. Add variable as follows: INLINE_RUNTIME_CHUNK=false

  3. Build the project again and load the extension again.

Source

Solution 3 - Jquery

You have to add content_security_policy to your manifest.json file:

"content_security_policy": "script-src 'self' 'sha256-B+Qe/KNUDtGDd/m1g5ycAq1DgpLs9ubKmYTlOHBogC8='; object-src 'self'"

You will find the hash from console.

enter image description here

Solution 4 - Jquery

I just ran into this issue as I was developing an extension. I removed the extension and loaded it again which made the error message disappear.

Categories
Recommended Jquery Solutions
Recommended Google Chrome Solutions
Recommended Google Chrome-Extension Solutions

Previous Solution:

Checking letter case (Upper/Lower) within a string in Java

Java

Next Solution:

Bootstrap dropdowns menus appearing behind other elements - IE7

CssInternet ExplorerTwitter BootstrapInternet Explorer-7

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionV15HM4YView Question on Stackoverflow
Solution 1 - JqueryapsillersView Answer on Stackoverflow
Solution 2 - JquerydasfdsaView Answer on Stackoverflow
Solution 3 - JqueryemonView Answer on Stackoverflow
Solution 4 - JqueryHatem JaberView Answer on Stackoverflow