25

I have an error:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

chrome-extension://ldbpohccneabbobcklhiakmbhoblcpof/popup.html:1

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".

the code popup.js

$(document).ready(function() {
     $.getJSON('http://.......alerts.json', function(data) {
        alert('HELLO');
      });
});

Manifest:

{
  "manifest_version": 2,

  "name": "Alert",
  "description": "This extension for  .",
  "version": "2.0",
  "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",
  "permissions": [
    "http://www.......il/"
  ],
  "browser_action": {
    "default_icon": "icon.png",
    "default_popup": "popup.html"
  },
  "content_scripts": [ {
    "js": [ "jquery.min.js", "popup.js" ],
    "matches": [ "http://*/*", "https://*/*"]
  }]
}

Popup:

<!doctype html>
<html>
  <head>
    <title>Getting Started Extension's Popup</title>
    <style>
      body {
        min-width: 357px;
        overflow-x: hidden;
      }

      img {
        margin: 5px;
        border: 2px solid black;
        vertical-align: middle;
        width: 75px;
        height: 75px;
      }
    </style>
     <head>
     <script src='jquery.min.js'></script>
     <script src='popup.js'></script>
</head>
  </head>
  <body>
  </body>
</html>
Danatela
  • 349
  • 8
  • 28
Vitaly Menchikovsky
  • 7,684
  • 17
  • 57
  • 89
  • 2
    I edited your question for proper formatting, and took the liberty of removing the second question - it's a different question, please separate those. – Xan Jul 17 '14 at 08:46
  • 1
    Your problem probably lies in your `popup.html` file, there's nothing wrong with the JS file. – Xan Jul 17 '14 at 08:47
  • added the popup.html. please advice – Vitaly Menchikovsky Jul 17 '14 at 09:09
  • 1
    Why does it have a double ``? – Xan Jul 17 '14 at 09:10
  • thnx working but still have issue on console Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. – Vitaly Menchikovsky Jul 17 '14 at 09:15
  • 2
    What version of jQuery are you using? – Scott Jul 17 '14 at 15:08

4 Answers4

13

I had this message because Chrome doesn't allow inline scripts and inline events handler (like onClick) anymore: they have to be moved to an external JS file (e.g. popup.js) and addEventListener() has to be used to associate events to DOM objects.

For example:

<body onload="initialize()">
<button onclick="handleClick()" id="button1">

has to be replaced by:

window.addEventListener("load", initialize);
document.getElementById("button1").addEventListener("click",handleClick);

In your case, I don't see any JS in the HTML but there are a few things you could try:

  • move popup.js include just before the .
  • correct the html (double head).
  • remove the content_scripts section from the manifest. Content scripts are supposed to be executed against the content of the page, they are not the JS file included in the page or browser action popup. The browser action section should suffice.

See Chrome extension manifest V2 notes

Yano
  • 598
  • 5
  • 12
  • 3
    Not relevant to this case. He is probably using an older version of jQuery that has CSP problems. – Xan Aug 20 '14 at 06:29
  • I believe Chrome does accept them now. Just hasn't figured out how to use yet. Take a look here: https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-inline-script – marcelocra Dec 05 '15 at 03:10
3

I had a very similar problem. I was not using any Inline Scripts or Inline Event Handlers but still getting that error. Turned out, jQuery internally tries to evaluate the response of such requests which is not allowed in Chrome Extensions. In my case, I was using $.ajax() with dataType: 'json'. I resolved the issue by changing dataType to text and then manually parsing JSON using JSON.parse().

Also it is relevant to mention that most of the jQuery APIs try to execute scripts included in a given html string while parsing which causes similar errors when used in a Chrome Extension. Explicit escaping of scripts in responses is required in such cases. Here is a quote from jQuery parseHTML() 's documentation:

Most jQuery APIs that accept HTML strings will run scripts that are included in the HTML. jQuery.parseHTML does not run scripts in the parsed HTML unless keepScripts is explicitly true. However, it is still possible in most environments to execute scripts indirectly, for example via the attribute. The caller should be aware of this and guard against it by cleaning or escaping any untrusted inputs from sources such as the URL or cookies. For future compatibility, callers should not depend on the ability to run any script content when keepScripts is unspecified or false.

Please note that those points cause problems when used in a Chrome Extension due to Chrome's restriction about inline script evaluation. They might not hold true in general.

Cashif Ilyas
  • 1,619
  • 2
  • 14
  • 22
0

I too faced this issue.

I was putting following code in index.html in head-tag

<script>
    var global = global || window;
    var Buffer = Buffer || [];
    var process = process || {
      env: { DEBUG: undefined },
      version: []
    }
</script>

then I moved this in file i.e. script.js and referenced in index.html like 

<script src="./script.js"></script>

still got that error and finally removed ./ and issue resolved

<script src="script.js"></script>
WasiF
  • 26,101
  • 16
  • 120
  • 128
0

I also faced similar, though not exact, problem:

Error was: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src chrome://resources chrome://test chrome://webui-test 'self'".

My code was:

    function greet(){alert('hello!');}
    var timeoutID = setTimeout("greet()", 5000); // this caused the problem

    My changes which still gave error:
    var timeoutID = setTimeout('greet()', 5000); // didn't work
    var timeoutID = setTimeout(greet(), 5000); // greet() runs at once

    Finally this worked:
    var timeoutID = setTimeout(greet, 5000); // worked
Anand Rakheja
  • 1
  • 1