Chrome Extension: Refused to load the script because it violates the following Content Security Policy directive: "script-src 'self'

Question

I'm building a Chrome extension and using $.ajax (jsonp) to pull article titles and urls from a json array on a wordpress site.

If I GET from a https site, it works fine, however if I GET from a http site I get the following error.

Refused to load the script because it violates the following Content Security Policy directive: "script-src 'self'

Unfortunately it's not possible in this instance to use HTTPS on this particular site, so how do I allow a none http site in my Content Security Policy in my manifest.json or is it strictly https only?

Are you using ajax in your content script? If so, do it in the background script and send the results back via messaging. — wOxxOm, Nov 13 '17 at 14:42

score 1 · Answer 1 · answered Nov 13 '17 at 14:37

1

According to developer.chrome.com/extensions/contentSecurityPolicy, only HTTPS sites can be added to the CSP, not HTTP.

But you should not be doing JSONP from a Chrome extension, period. Can't do HTTP Request with my Chrome Extension

answered Nov 13 '17 at 14:37

Josh Lee

171,072
38
269
275

Chrome Extension: Refused to load the script because it violates the following Content Security Policy directive: "script-src 'self'

1 Answers1