Chrome app content security policy

Question

Errors:

Refused to load the script 'https://ssl.google-analytics.com/ga.js' because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

background.html:9 Refused to frame 'https://www.youtube.com/embed/' because it violates the following Content Security Policy directive: "frame-src 'self' data: chrome-extension-resource:".

Solve: To resolve this issue, I tried adding

"content_security_policy": "script-src 'self' 'unsafe-eval'
https://www.youtube.com/ https://ssl.google-analytics.com/; object-src 'self'"

But then I get the warning:

'content_security_policy' is only allowed for extensions and legacy packaged apps, but this is a packaged app.

What should I do?

Marc Rochkind Marc Rochkind · Accepted Answer · 2014-11-27T23:56:09

You can't load a script directly from the web. All scripts must be inside the Chrome App's folder. This may require you to download the script and place it into a folder that itself is inside the Chrome App folder.

Chrome app content security policy

1 Answers