Chrome Extension “Refused to load the script because it violates the following Content Security Policy directive”

2
votes

i try to encrypt user data by cryptojs library and send to server by ajax but the console shows the error:

Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js' because it violates the following Content Security Policy directive: "script-src 'self' https://apis.google.com 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

my manifest code contains :

"content_security_policy": "script-src 'self' https://apis.google.com 'unsafe-eval'; object-src 'self'"

how to solve this problem?

1
javascriptgoogle-chromegoogle-chrome-extensioncontent-security-policycryptojs
It's best to remove content_security_policy and put the scripts into the extension directory and load them as any other extension script. Only then, if for some reason they won't work, use the custom csp and add cloudflare domain from the script url to the csp string.wOxxOm
Try adding permissions for that URL in manifest.json file.Surjith S M
Also Try: "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",Surjith S M

1 Answers

2
votes

For those who tumble upon the same issue. I had the same and it was resolved after I updated content_security_policy to include the googleapis url I was trying to load.

My code:

<head>
...
<script src="https://maps.googleapis.com/maps/api/js?key=API_KEY;libraries=places"></script>
</head>

Needed

{
  "content_security_policy": "script-src 'self' 'unsafe-eval' https://maps.googleapis.com 'unsafe-inline'; object-src 'self'",
}