Insecure CSP value "'unsafe-eval'" in directive 'script-src'

Question

while trying to load a third-party js file into content scripts in chrome extension. I'm facing an unsafe-eval error

My manifest.json looks like this

{
    "manifest_version": 3,
    "name": "Test",
    "version": "1.0",
    "host_permissions": ["https://mail.google.com/"],
    "content_scripts": [
        {
            "matches": [
                "https://mail.google.com/*"
            ],
            "js": ["3rdparty.js", "code.js"],
            "run_at": "document_end"
        }
    ]
}

after loading I'm receiving this error

Error logged: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

so, I have tried adding csp to the manifest file

{
...,
"content_security_policy": {
    "extension_pages": "script-src 'self' 'unsafe-eval'; object-src 'self'"
  }
}

then I'm receiving this error in chrome telling that its unable to load the extension

'content_security_policy.extension_pages': Insecure CSP value "'unsafe-eval'" in directive 'script-src'.

Answer 1

I'm afraid you cannot use 'unsafe-eval' in manifest version 3

Are you executing remote code or arbitrary strings? You can no longer execute external logic using chrome.scripting.executeScript({code: '...'}), eval(), and new Function().

You have to move all your script into remote or local files. You may generate scripts on a remote file (eg. php) and execute it using chrome.scripting.executeScript instead of using eval() or consider migrating back to MV2.