3

I am getting an error as captured in the screenshot below:

enter image description here

It reads:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src file: data: chrome-extension: https://ssl.gstatic.com". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

What am I doing wrong and how can I resolve the Content-Security-Policy error?

Below is my meta-tag in, in my index.html:

<meta http-equiv="Content-Security-Policy" 
    content="default-src * 'self' 'unsafe-eval' 'unsafe-inline' 
    data: ssl.gstatic.com https://ssl.gstatic.com; 
    style-src * 'self' 'unsafe-inline' 
    chrome-extension: ssl.gstatic.com; 
    script-src * 'unsafe-inline' 'unsafe-eval' 'self' 
    chrome-extension: file: data: http: https: ssl.gstatic.com
 https://ssl.gstatic.com">

I'm using CCA with Onsen UI.

nyedidikeke
  • 6,899
  • 7
  • 44
  • 59
Marcelo Dolce
  • 69
  • 2
  • 7

1 Answers1

5

Your question is tagged as a Google Chrome App question.

Chrome Apps are subject to a very specific CSP and cannot override it.

default-src 'self';
connect-src *;
style-src 'self' data: chrome-extension-resource: 'unsafe-inline';
img-src 'self' data: chrome-extension-resource:;
frame-src 'self' data: chrome-extension-resource:;
font-src 'self' data: chrome-extension-resource:;
media-src *;

Your Chrome App can only refer to scripts and objects within your app, with the exception of media files (apps can refer to video and audio outside the package). Chrome extensions will let you relax the default Content Security Policy; Chrome Apps won’t.

The documentation then proceeds to have a helpful "How do I.." section. Take a look at it and see what fits your needs.

Xan
  • 74,770
  • 16
  • 179
  • 206
  • I changed and still did not work. It's weird because testing in the browser, it works! but when it is built into the device, no! – Marcelo Dolce Jul 01 '15 at 13:26
  • I said that I changed mine to what you ordered. It is exactly the same. Understood? – Marcelo Dolce Jul 01 '15 at 13:27
  • Okay, you need to carefully read the docs. You cannot change it, it's what it always is in Chrome Apps. This probably means you cannot use the library you're using unless you sandbox it. – Xan Jul 01 '15 at 13:28
  • I can not use anything outside? for example, a library of Google Maps? – Marcelo Dolce Jul 01 '15 at 13:30
  • No, normally not. You can embed web content with ``, and you can use sandboxing for some tasks. You can of course just fetch data with XHR, but not run outside scripts. _Read the docs I linked!_ – Xan Jul 01 '15 at 13:42
  • I read, just do not understand why in earlier versions work? As in a mobile app will not be able to make these kinds of requests, did not confused with an extension? – Marcelo Dolce Jul 01 '15 at 13:53
  • Sorry, I can't understand what you just said. – Xan Jul 01 '15 at 14:06
  • This type of restriction also applies to a project Cordova app ? – Marcelo Dolce Jul 01 '15 at 14:10
  • I don't know, but probably not. It's specific to Chrome Apps and as such also applies to the CCA toolchain. – Xan Jul 01 '15 at 14:11
  • I disabled all extensions and google apps and the message is gonne. – HomeMade Jul 01 '19 at 09:03