-1

converting a Chrome extension from V2 to V3 - I've added the line:

"content_security_policy": {
"extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 
'self' 'wasm-unsafe-eval'"
},

When running the extension, I get the error:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval'
is not an allowed source of script in the following Content Security Policy directive:
"script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules'

Below is my manifest file:

{
"name": "Fill DTX 24x7 team",
  "version": "1.1",
  "content_security_policy": {
  "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 
 'self' 'wasm-unsafe-eval'"

 },
  "description": "Enters hours, codes and tasks into DTX!",
  "permissions": [ "activeTab", "declarativeContent", "storage", "scripting" ],
  "options_page": "options.html",
  "background": {
    "service_worker": "background.js",
    "type": "module"
  },
  "action": {
    "default_popup": "popup.html",
    "default_icon": {
      "16": "images/get_started16.png",
      "32": "images/get_started32.png",
      "48": "images/get_started48.png",
      "128": "images/get_started128.png"
    }
  },
  "icons": {
    "16": "images/get_started16.png",
    "32": "images/get_started32.png",
    "48": "images/get_started48.png",
    "128": "images/get_started128.png"
  },
  "manifest_version": 3
}

This is the code in my popup.js file, that defines the code to run (just an alert('hi') for the sake of troubleshooting:

cde = "alert('hi')";

chrome.tabs.query({ active: true, currentWindow: true }, function (tabs)

{

    var tab = tabs[0];

    if (tab) {

        chrome.scripting.executeScript({

            target: { tabId: tab.id },

            function: (cde) => {

                console.log(cde);          

                eval(cde);

            },

            args: [cde]

        }).then(() => {

            console.log('Script executed successfully.');

            alert(cde);

            alert('Script executed successfully.');

        }).catch((error) => {

            console.error(error);

            alert(error);

        });

    } else {

        console.error('No active tab found.');

        alert("no active tab found");

    }

});

Any ideas what I may have missed?

Thanks, Mark

Mark Tait
  • 545
  • 3
  • 12
  • 22
  • Could it be that trailing semicolon is mandatory? `"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"` – vsemozhebuty Apr 17 '23 at 16:25
  • Thanks I tried that - but no luck. I have updated the code above though and have a new error. – Mark Tait Apr 17 '23 at 16:30
  • Don't update an already answered question with code for a completely new problem. Rollback the changes and ask a new question instead. – wOxxOm Apr 17 '23 at 18:06

1 Answers1

1

in manifest v3, the content_security_policy field should be an object instead of a string. Here's an example of how you can update your manifest file:

{
  "name": "Fill DTX 24x7 team",
  "version": "1.1",
  "content_security_policy": {
    "extension_pages": "script-src 'self' 'unsafe-eval'; object-src 'self'",
    "sandbox": "script-src 'self' 'unsafe-eval'; object-src 'self'"
  },
  "description": "Enters hours, codes and tasks into DTX!",
  "permissions": [ "activeTab", "declarativeContent", "storage", "scripting" ],
  "options_page": "options.html",
  "background": {
    "service_worker": "background.js",
    "type": "module"
  },
  "action": {
    "default_popup": "popup.html",
    "default_icon": {
      "16": "images/get_started16.png",
      "32": "images/get_started32.png",
      "48": "images/get_started48.png",
      "128": "images/get_started128.png"
    }
  },
  "icons": {
    "16": "images/get_started16.png",
    "32": "images/get_started32.png",
    "48": "images/get_started48.png",
    "128": "images/get_started128.png"
  },
  "manifest_version": 3
}

In this example, we've defined the content_security_policy field as an object with two properties: extension_pages and sandbox. The extension_pages property is used for pages that are part of the extension, such as the options page or the popup, while the sandbox property is used for content scripts that run in a sandboxed environment.

You can customize the values of these properties to fit your specific needs, but the syntax should follow the format of directive1 value1; directive2 value2; .... In this example, we've used the same value for both properties, but you may want to use different values depending on the context in which the script is running.

For more information on the content_security_policy field in manifest v3, you can refer to the official documentation: https://developer.chrome.com/docs/extensions/mv3/manifest/content_security_policy/

Edit: You changed the question, so here is another answer for the new question

You aren't allowed to call eval. Remote code is not supported in MV3, so any code should exist within your extension. Rather than calling eval, you should inject the actual function and execute it

Patrick
  • 13,872
  • 5
  • 35
  • 53