Menu
The Content Security Policy (CSP) prevents cross-site scripting attacks by blocking inline execution of scripts and style sheets. To solve this, move all inline scripts (e.g. onclick=[JS code]) and styles into external files. adding the hash or nonce of the inline script to your CSP header.
To edit the configuration, go to chrome://extensions and click Options under Content Security Policy Override. The text area in the Options automatically saves as you edit.
Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header. Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting.
Content Security Policy blocks all resources that don't match it's policy. To view the policy for a specific website use the CSP Evaluator.
From the Chrome extension CSP docs:
Inline JavaScript will not be executed. This restriction bans both inline
<script>blocks and inline event handlers (e.g.<button onclick="...">).
You cannot have inline scripts in your extension HTML like:
<script>alert("I'm an inline script!");</script>
<button onclick="alert('I am an inline script, too!')">
Rather, you must place your script into a separate file:
<script src="somescript.js"></script>
If you are using React with create-react-app:
create a .env file in project root
Add variable as follows: INLINE_RUNTIME_CHUNK=false
Build the project again and load the extension again.
Source
You have to add content_security_policy to your manifest.json file:
"content_security_policy": "script-src 'self' 'sha256-B+Qe/KNUDtGDd/m1g5ycAq1DgpLs9ubKmYTlOHBogC8='; object-src 'self'"
You will find the hash from console.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With