I'm upgrading my chrome extension to manifest version 3. But, my extension uses eval in its content script. In version 3 I get the following error

Error in event handler: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

I was able to fix this in version 2 as follows:

 "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

But this has changed and I tried many things

"content_security_policy": {
    "script-src": "self unsafe-eval",
    "unsafe-eval": "object-src self",
    "unsafe-inline": "self"
}

I'm not sure what exactly is possible here, so any help would be appreciated

I'm upgrading my chrome extension to manifest version 3. But, my extension uses eval in its content script. In version 3 I get the following error

Error in event handler: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

I was able to fix this in version 2 as follows:

 "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

But this has changed and I tried many things

"content_security_policy": {
    "script-src": "self unsafe-eval",
    "unsafe-eval": "object-src self",
    "unsafe-inline": "self"
}

I'm not sure what exactly is possible here, so any help would be appreciated

• javascript
• google-chrome-extension

• Check out the migration guide. "The script-src, ..., and worker-src directives may only have the following values: self, none, Any localhost source [...] CSP modifications for sandbox have no such new restrictions." You'll have to run your eval in a sandboxed page (or get rid of eval?) – blex Commented May 7, 2021 at 16:35
• I cannot get rid of eval :( my extension Users can mock APIs and to do that sometimes custom javascript can be provided too, which I can only evaluate with "eval" – Jeanluca Scaljeri Commented May 7, 2021 at 19:38
• People are discussing it here: groups.google./a/chromium/g/chromium-extensions/c/… – thdoan Commented Oct 4, 2022 at 20:37

2 Answers 2

using eval or any other ways like new Function to execute code from a string is not supported in Manifest v3. It's against their updated policy. Manifest V3 does not allow arbitrary code execution.

ref: https://developer.chrome./docs/extensions/mv3/intro/mv3-migration/#remotely-hosted-code

However, a spokesperson from Google confirmed that they plan to support userscript managers (which depend on arbitrary code execution) in Manifest V3 before the Manifest V2 deprecation. Most likely end-user would need to enable some setting in order to allow the extension to run arbitrary code.

ref: https://github./Tampermonkey/tampermonkey/issues/644#issuement-1140110430

See if you can bypass it whith Function( "return "+ toBeEvaluated )() constructor; If that's blacklisted too see if they left setTimeout( toBeEvaluated, 1 ) out. That would work as a substitution too.

But this fix is no avail - we need to fix the problem at its source. Need to fix the superstition surrounding the eval mand. People need to stop being afraid of power.