Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Content-Security-Policy error in google chrome extension making

I am making a chrome extension that will open all links on a page in new tabs.

Here are my code files:

manifest.json

{
  "name": "A browser action which changes its icon when clicked.",
  "version": "1.1",
    "permissions": [
    "tabs", "<all_urls>"
  ],
 "browser_action": {     
    "default_title": "links",      // optional; shown in tooltip
    "default_popup": "popup.html"        // optional
  },
 "content_scripts": [
    {
    "matches": [ "<all_urls>" ],
      "js": ["background.js"]
    }
  ],
  "manifest_version": 2
}

popup.html

<!doctype html>
<html>
  <head>
    <title>My Awesome Popup!</title>
    <script>
function getPageandSelectedTextIndex() 
  { 
    chrome.tabs.getSelected(null, function(tab) { 
    chrome.tabs.sendRequest(tab.id, {greeting: "hello"}, function (response) 
    { 
        console.log(response.farewell); 
    }); 
   }); 
        } 
chrome.browserAction.onClicked.addListener(function(tab) { 
        getPageandSelectedTextIndex(); 
});
         </script>
  </head>
  <body>
    <button onclick="getPageandSelectedTextIndex()">
      </button>
  </body>
</html>

background.js

chrome.extension.onRequest.addListener(
  function(request, sender, sendResponse) {
    console.log(sender.tab ?
                "from a content script:" + sender.tab.url :
                "from the extension");
    if (request.greeting == "hello")
    updateIcon();  

});
function updateIcon() {
  var allLinks = document.links;
  for (var i=0; i<allLinks.length; i++) {
    alllinks[i].style.backgroundColor='#ffff00';

}
}

Initially I wanted to highlight all the links on the page or mark them in some way; but I get the error "Refused to execute inline script because of Content-Security-Policy".

When I press the button inside the popup, I get this error: Refused to execute inline event handler because of Content-Security-Policy.

Please help me fix these errors, so I can open all links in new tabs using my chrome extension.

like image 656
Saad Avatar asked Jun 15 '12 06:06

Saad


People also ask

How do I fix blocked Content-Security-Policy on Google Chrome?

Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header. Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting.

How do I fix a Chrome extension error?

In the task manager, locate the extension and tap End Process. This will disable the extension from the browser. Now, go to More Tools > Extensions and give the extension a fresh start by tapping on Reload. Even after the fixes above, if the extension doesn't load correctly, uninstall it and reinstall it.

Why is Chrome not allowing me to enable an extension?

If you see a message saying "Extensions Disabled," it's because Chrome has turned off one or more of your extensions to keep your data safe while you're browsing the Internet. The extensions that Chrome turned off either didn't come from the Chrome Web Store or were determined unsafe.

How do I enable Content-Security-Policy in Chrome?

To edit the configuration, go to chrome://extensions and click Options under Content Security Policy Override. The text area in the Options automatically saves as you edit.


1 Answers

One of the consequences of "manifest_version": 2 is that Content Security Policy is enabled by default. And Chrome developers chose to be strict about it and always disallow inline JavaScript code - only code placed in an external JavaScript file is allowed to execute (to prevent Cross-Site Scripting vulnerabilities in extensions). So instead of defining getPageandSelectedTextIndex() function in popup.html you should put it into a popup.js file and include it in popup.html:

<script type="text/javascript" src="popup.js"></script>

And <button onclick="getPageandSelectedTextIndex()"> has to be changed as well, onclick attribute is also an inline script. You should assign an ID attribute instead: <button id="button">. Then in popup.js you can attach an event handler to that button:

window.addEventListener("load", function()
{
  document.getElementById("button")
          .addEventListener("click", getPageandSelectedTextIndex, false);
}, false);
like image 87
Wladimir Palant Avatar answered Oct 16 '22 00:10

Wladimir Palant