I'm trying to create a Chrome packaged app from a complicated web app. I'm currently getting the error:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
How do I explicitly set the policy in my manifest.json? I've tried things like:
"content_security_policy": "default-src 'inline'; script-src 'inline'"
but I still get the same error message. Is my syntax wrong, or is the error a red herring?
You can't loosen the default CSP in a packaged app. If you're doing something like <button id="foo" onclick="doSomething()">
then you should instead include a separate JS file in the HTML where you do a document.querySelector("#foo").onclick = doSomething;
in your onload handler. This will comply with CSP and make your app more resistant to XSS attacks.
I faced the same problem, and I while reading this document I found the following:
"sandbox": {
"pages": ["sandboxed.html"]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With