I'm trying to create a Chrome extension, but none of my JS works. The console shows this error:
Refused to load the script 'https://ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:".
Why is it blocking my jQuery from running?
As explained on the Chome website, there is a Content Security Policy preventing your script to load remote script:
A relaxed policy definition which allows script resources to be loaded from example.com over HTTPS might look like:
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"
So in your case, the manifest.json should contain:
{
"name": "My Extension",
"manifest_version": 2,
"background":{
"scripts": [...]
},
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'",
}
I will tell you long story short. Google Chrome has CSP (Content Security Policy), which means chrome extensions don't allow the external script. If you are using the vue cdn then just perform following steps and your are good to go.
{
"manifest_version": 2,
"name" : "Hello Extension",
"version" : "1.0",
"permissions": [
"https://cdn.jsdelivr.net/npm/vue/dist/vue.js"
],
"background": {
"scripts": ["popup.js"],
"persistent": false
},
"description" : "Testing the hello world extension",
"icons": {
"16" : "icons16.png",
"48" : "icons16.png",
"128" : "icons16.png"
},
"browser_action": {
"default_icon" : "icons16.png",
"default_popup" : "popup.html"
},
"content_security_policy": "script-src 'self' 'unsafe-eval' https://cdn.jsdelivr.net; object-src 'self'"
}
external js here popup.js add the Vue code and everything will work great.var app = new Vue({
el: "#app",
data: {
name: ""
}
});
Content Security Policy is another layer of security for your application. It lets you define all the origins from which you are loading any styles, scripts or data. For each of the style, script, font or connect, you need to specify the domains which you are loading in your application. If you are using a CDN jQuery of another domain, you need to specify this domain in the Content Security Policy.
If you don't want this added layer of security and would like to load styles or scripts from any domain you wish, just add this following meta tag in your index.html and make sure this is located before any of your imports.
<meta http-equiv="Content-Security-Policy" content="default-src *;">
here * is the wildcard character which lets you access any domain. If you want this added layer of security I suggest you go to the documentation which is very clear about how to specify all the domains you want import in your application
well, you cant use CDN for js, you will be have to copy the content of "https://ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js" and create a new file inside your js directory and call it jquery.min.js and paste everything in it , then in your HTML file header remove the line that has this url in it and use this one instead
<script src="js/jquery.min.js"></script>
but make sure that this is the write path for the file that contains all the data in the mentioned url
cheers,
According to the Chrome Extension documentation, you need to download a copy of the external resource into your package folder and load the script locally.
Loading external scripts is not allowed.
