Can't run JavaScript lines from popup

0
votes

When I try open the following page as a popup I encounter with the message:

Refused to load the script 'http://allinternetfinance.com/LetMeKnow/jquery-1.11.2.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'

index.html:4 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-anuyZ9J88P7xGyiuMhMfVwpc613qkiD1ZB3UusOLD6A='), or a nonce ('nonce-...') is required to enable inline execution."

the html is:

<html>
<head>
    <script src="http://allinternetfinance.com/LetMeKnow/jquery-1.11.2.js";></script>
    <script>
    $( document ).ready(function() {
        window.location.replace("http://localhost:8080/MembershipApp/index.html");
    });
    </script>
</head>

<body>
</body>

all I get is little white square instead of the page Im trying to redirect it to.

2
javascriptjqueryhtmlgoogle-chrome-extension
are you running this from a google extension ? if not then it could be related to some XSS HTTP headers : see. script-src 'self' mean that you are only allowed to execute script from the same src than the current page - Hacketo
stackoverflow.com/questions/23216884/… - epascarello

2 Answers

1
votes

You need to do two things first:

  • Download Jquery and load it from inside your extension folder, or don't use it at all.
  • Move the content of the script tag to a .js file and reference it.

https://developer.chrome.com/extensions/contentSecurityPolicy

Also, it seems like popups must contain extension files, instead use

chrome.tabs.create({ url: "http://localhost:8080/MembershipApp/index.html"})

0
votes

Please read up on script injection for chrome extensions. Programmatic Injection for Chrome Extensions

  1. You likely do not have cross-origin permissions for extension
  2. You have to "inject" the script or use a manifest declaration before it is usable. This is due to headers and "same origin policy" for modern browsers as a security measure.

Lastly, make sure you inject the script into the newly created tab, or into an existing tab, DO NOT execute the script inside of the popup window itself or it will execute inside the popup box as if it was it's own window (Unless that's what you want.)

EDIT: Ideally, you'll want to download the jquery script as mentioned by another poster, and host that inside of your extension. Make sure you declare the jquery library as a Web Accessible Resource though or you'll get another security error.

Hope this helps.

JRad The Bad