1

When uploading my unpacked Chrome extension, I get the following error:

Could not load extension from '/Users/me/example'. Invalid value for 'content_security_policy': Both 'script-src' and 'object-src' directives must be specified (either explicitly, or implicitly via 'default-src'), and both must whitelist only secure resources. You may include any of the following sources: "'self'", "'unsafe-eval'", "http://127.0.0.1", "http://localhost", or any "https://" or "chrome-extension://" origin. For more information, see http://developer.chrome.com/extensions/contentSecurityPolicy.html

My manifest looks like the following:

{
  "name": "Example Inc.",
  "manifest_version" : 2,
  "version": "0.4.4",
  "content_scripts": [
    {
      "matches": [
        "*://*.example.cc/*"
      ],
      "js": [
        "production/jquery.libs.min.js",
        "https://example.cc/js/example.js"
      ],
      "run_at": "document_end"
    }
  ],
  "permissions": [
    "*://*.example.cc/*",
    "tabs",
    "activeTab",
    "contextMenus",
    "storage",
    "management",
    "cookies"
  ],
  "content_security_policy": "script-src 'self' https://ssl.google-analytics.com/ga.js https://example.cc/js/*; object-src 'self'"
}

From all the examples I've seen, and after reading through some of the CSP docs, I'm not sure what I'm missing. Our domain is fully https, the example.js file exists and is accessible, etc

Any ideas are welcome!

dylst
  • 689
  • 8
  • 15

2 Answers2

1

if you are only using your code set it to self only e.g.

"content_security_policy": "script-src 'self'; default-src 'self'",

pref
  • 1,651
  • 14
  • 24
0

You should do:

"content_security_policy": "script-src 'self' https://ssl.google-analytics.com/ga.js https://example.cc; object-src 'self'"
Aminadav Glickshtein
  • 23,232
  • 12
  • 77
  • 117