科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-r

    javascript - Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-r

    programmeradmin0浏览0评论

    I am using jQuery simple whether plugin to get the whether and trying to create a chrome widget.

    While loading the file as a chrome extensions, I am getting error, after looking all the help provided by google and here it self, still I am not able to resolve this issue.

    Below is the error for yahoo whether 

    > jquery-2.1.3.min.js:4 Refused to load the script
> ';rnd=2016437&diagnosti…ces(1)%20where%20text=%22New%20Delhi%22)%20and%20u=%22c%22&_=1462326587463'
> because it violates the following Content Security Policy directive:
> "script-src 'self' blob: filesystem: chrome-extension-resource:".

    Another error which is for font,

    > Refused to load the font
> 'data:application/octet-stream;base64,AAEAAAAPAIAAAwBwR1NVQrD+s+0AAAD8AAAAQk…GIUViwQIhYsQNkRLEmAYhRWLoIgAABBECIY1RYsQMARFlZWVmzDAIBDCq4Af+FsASNsQIARAAA'
> because it violates the following Content Security Policy directive:
> "default-src *". Note that 'font-src' was not explicitly set, so
> 'default-src' is used as a fallback.

    Used manifest code are 

    "content_security_policy": "script-src 'self'; object-src 'self' /",
    "permissions": [
      "tabs", "<all_urls", "http://localhost/",
      "http://*/*", "https://*/*", "/*"
    ],
    "content_scripts":
    [{
        "css": [
            "css/ponent.css",
            "css/tooltip-line.css",
            "css/modal.css"
        ],
        "js": [
            "js/modernizr.custom.js",
            "js/jquery-2.1.3.min.js",
            "js/jquery.simpleWeather.min.js",
            "js/handlebars-v4.0.5.js",
            "js/moment.min.js",
            "js/background.js"

        ],
        "matches": [ "http://*/*", "https://*/*"]
    }]

    Also In my html file i am using this meta tag 

    <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />

    Can some one please help me to how i can solve this.

    I am using jQuery simple whether plugin to get the whether and trying to create a chrome widget.

    While loading the file as a chrome extensions, I am getting error, after looking all the help provided by google and here it self, still I am not able to resolve this issue.

    Below is the error for yahoo whether 

    > jquery-2.1.3.min.js:4 Refused to load the script
> 'https://query.yahooapis./v1/public/yql?format=json&rnd=2016437&diagnosti…ces(1)%20where%20text=%22New%20Delhi%22)%20and%20u=%22c%22&_=1462326587463'
> because it violates the following Content Security Policy directive:
> "script-src 'self' blob: filesystem: chrome-extension-resource:".

    Another error which is for font,

    > Refused to load the font
> 'data:application/octet-stream;base64,AAEAAAAPAIAAAwBwR1NVQrD+s+0AAAD8AAAAQk…GIUViwQIhYsQNkRLEmAYhRWLoIgAABBECIY1RYsQMARFlZWVmzDAIBDCq4Af+FsASNsQIARAAA'
> because it violates the following Content Security Policy directive:
> "default-src *". Note that 'font-src' was not explicitly set, so
> 'default-src' is used as a fallback.

    Used manifest code are 

    "content_security_policy": "script-src 'self'; object-src 'self' https://query.yahooapis./",
    "permissions": [
      "tabs", "<all_urls", "http://localhost/",
      "http://*/*", "https://*/*", "https://query.yahooapis./*"
    ],
    "content_scripts":
    [{
        "css": [
            "css/ponent.css",
            "css/tooltip-line.css",
            "css/modal.css"
        ],
        "js": [
            "js/modernizr.custom.js",
            "js/jquery-2.1.3.min.js",
            "js/jquery.simpleWeather.min.js",
            "js/handlebars-v4.0.5.js",
            "js/moment.min.js",
            "js/background.js"

        ],
        "matches": [ "http://*/*", "https://*/*"]
    }]

    Also In my html file i am using this meta tag 

    <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />

    Can some one please help me to how i can solve this.

    • javascript
    • jquery
    • html
    • google-chrome
    • google-chrome-extension
    Share Improve this question asked May 4, 2016 at 1:59 Priya SinghPriya Singh 2652 gold badges3 silver badges13 bronze badges 2
    • 2 Close your tag at <all_urls> so instead of <all_urls its actually <all_urls> – user6031759 Commented Jun 18, 2016 at 21:42
    • Ill see if i can help you when i e home. Ill just warn you right away that chrome extensions are severely limited in their cross domain content for security reasons. – Simon Hyll Commented Jan 1, 2018 at 0:02
    Add a ment  | 

    1 Answer 1

    Reset to default 2

    Your content-security-policy has "script-src 'self' which means scripts cannot be loaded from a third party URL.

    You have specified yahoo API in the object-src directive. object-src directive (MDN) specifies valid sources for the <object>, <embed>, and <applet> elements.

    To load the script from a third party, you have to specify in script-src directive like this:

    "content_security_policy": "script-src https://query.yahooapis./ 'self'; ..."
    继续浏览有关 的文章

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论