科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - Chrome Extension “Refused to load the script because it violates the following Content Security Policy directive” -

    javascript - Chrome Extension “Refused to load the script because it violates the following Content Security Policy directive” -

    programmeradmin0浏览0评论

    i try to encrypt user data by cryptojs library and send to server by ajax but the console shows the error:

    Refused to load the script '.0.0/crypto-js.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

    my manifest code contains :

    "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

    how to solve this problem?

    i try to encrypt user data by cryptojs library and send to server by ajax but the console shows the error:

    Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js' because it violates the following Content Security Policy directive: "script-src 'self' https://apis.google.com 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

    my manifest code contains :

    "content_security_policy": "script-src 'self' https://apis.google.com 'unsafe-eval'; object-src 'self'"

    how to solve this problem?

    • javascript
    • google-chrome
    • google-chrome-extension
    • content-security-policy
    • cryptojs
    Share Improve this question asked May 18, 2020 at 5:24 Imran JonyImran Jony 1671 gold badge1 silver badge5 bronze badges 3
    • 1 It's best to remove content_security_policy and put the scripts into the extension directory and load them as any other extension script. Only then, if for some reason they won't work, use the custom csp and add cloudflare domain from the script url to the csp string. – woxxom Commented May 18, 2020 at 5:35
    • Try adding permissions for that URL in manifest.json file. – Surjith S M Commented May 18, 2020 at 14:04
    • Also Try: "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'", – Surjith S M Commented May 18, 2020 at 14:08
    Add a comment  | 

    2 Answers 2

    Reset to default 6

    For those who tumble upon the same issue. I had the same and it was resolved after I updated content_security_policy to include the googleapis url I was trying to load.

    My code:

    <head>
...
<script src="https://maps.googleapis.com/maps/api/js?key=API_KEY;libraries=places"></script>
</head>

    Needed

    {
  "content_security_policy": "script-src 'self' 'unsafe-eval' https://maps.googleapis.com 'unsafe-inline'; object-src 'self'",
}

    The script-src-elem directive specifies valid sources for JavaScript elements.

    Try this for V3 by adding script-src-elem:

      "content_security_policy": {
    "extension_pages": "script-src 'self' 'unsafe-eval' https://maps.googleapis.com; object-src 'self'; script-src-elem 'self' 'unsafe-eval' https://maps.googleapis.com"
  }

    Delete the https://maps.googleapis.com if you don't care about it.

    Some context from here:

    The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting)

    Syntax

    Content-Security-Policy: <policy-directive>; <policy-directive>.

    where consists of: with no internal punctuation.

    继续浏览有关 的文章

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论