is Content Security Policy 'unsafe-inline' deprecated?

Question

I'm developing a Chrome Extension, I tried to add the 'unsafe-inline' CSP as per the Google Docs

However after doing so and attempting to reload my extension at chrome://extensions/ I'm getting:

There were warnings when trying to install this extension: Ignored insecure CSP value "'unsafe-inline'" in directive 'script-src'.

For ref the entire CSF as defined in manifest.json:

"content_security_policy": "script-src 'self' 'unsafe-inline' https://localhost:8000; object-src 'self'"

So, why am I not able to set 'unsafe-inline'?

Answer 1

It's not deprecated, it's perfectly fine on the web.

However, it's simply not allowed in extensions as a security measure (and frankly, good practices enforcement).

Documentation explains what you can and can't do with CSP.

Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.

As of Chrome 46, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). See Hash usage for elements for an example.

Don't use inline scripting - it's not needed. The same docs will show how to deal with it.