Load scripts via HTTP with Chrome Extension

0
votes

I am developing a Chrome Extension, and I have this in my index.html head:

  <script src="https://cdnjs.cloudflare.com/ajax/libs/js-beautify/1.7.5/beautify-html.js"></script>

I am getting this error:

Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/js-beautify/1.7.5/beautify-html.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval'".

Here is my manifest.json config:

 "content_security_policy": "script-src '*' 'unsafe-eval'; object-src '*';"

Does anyone know if there is a possible way to load <script>'s which reference a www link? Is there some permissions I am missing?

1
javascriptgoogle-chromegoogle-chrome-extensionmanifest.json

1 Answers

2
votes

The current security policy that you're using only applies to your extension, that is because you cannot use just *. Wildcard are allowed but only to construct a URL. If you want to allow https://cdnjs.cloudflare.com, you'll have to specify that domain, something like this:

"content_security_policy": "script-src 'self' https://cdnjs.cloudflare.com;  object-src 'self';"

You can learn more about the content_security_policy property from HERE