0

I'm making a chrome newtab extension that loads the users weather by querying yahoo weather. I'm getting a 'Content-Security-Policy' violation from chrome saying I cannot load the script:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-PeWalvgfJE6xbsZk1lp14cxuyPBUbuIbzFNlAxarXxU='), or a nonce ('nonce-...') is required to enable inline execution.

Here is my manifest:

{
    "name": "WeatherTodo",
    "version": "1.0",
    "description": "Extension that shows a weather animation and todolist",
    "manifest_version": 2,
    "permissions": ["storage"],
    "chrome_url_overrides": {
        "newtab": "index.html"
    }
}

The problem is that the query is a different URL depending on where the user is so I'm not sure if I can add it as a safe link to the manifest. Please help.

I think this is the line that is causing the error, I'm not sure because chrome is pointing to the html line that has my script tag:

fetch("https://query.yahooapis.com/v1/public/yql?q=select%20*%20from%20weather.forecast%20where%20woeid%20in%20(SELECT%20woeid%20FROM%20geo.places%20WHERE%20text%3D%22(" 
                + position.coords.latitude + "%2C" + position.coords.longitude 
                + ")%22)&format=json&env=store%3A%2F%2Fdatatables.org%2Falltableswithkeys")
Sandy Leach
  • 75
  • 7
  • Possible duplicate of [onClick within Chrome Extension not working](https://stackoverflow.com/questions/13591983/onclick-within-chrome-extension-not-working) – wOxxOm Jul 31 '18 at 07:20
  • TL;DR, put your js code into a separate file and load it via ` – wOxxOm Jul 31 '18 at 07:22

1 Answers1

0

You cannot use inline scripts in HTML as it is prone to script injection, thus Chrome has restricted that. You can read Content Security Policy (CSP)

Shenal
  • 202
  • 3
  • 21