0

I'm trying to run a Chrome extension I'm developing locally but whenever I try to use JQuery's full, minified (Or even unminified) JS file locally downloaded under "js/jquery-3.5.1.min.js". The slim build works, but I do not have access to certain features I need for my app. Whenever I load the extension I get the following error message:

Refused to execute inline script because it violates the following Content Security Policy directive:
"script-src 'self' blob: filesystem:". Either the 'unsafe-inline' keyword, a hash 
('sha256-82hEkGrSMJh3quMSG4f7FbngmAPLTDM63H4eNayS4Us='), or a nonce ('nonce-...') is required to enable 
inline execution.

This is how I import JQuery in my main popup file "index.html":

...
</div>
<script src="js/jquery-3.5.1.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/popper.min.js"></script>
<script src="index.js"></script>
</body>
...

This is the Javascript code I have running that I need JQuery for, keep in mind it still runs properly, even with the errors:

$(document).ready(function () {
    var optionsImage = $("#setting-img")[0];
    $("#setting-img").load("options.html",function(data){
        console.log(data)
    });

I have messed with the manifest.json plenty, including adding a hash and other settings under CSP, nothing works.

Carlos Hernandez
  • 63
  • 9
  • This is a [standard problem](https://stackoverflow.com/a/25721457) so the only solutions are a) don't load html like you do, b) remove scripts from options.html, c) correctly relax the CSP in manifest.json. If you decide to go with c) then show us your current CSP value. – wOxxOm Sep 19 '20 at 07:20
  • It doesn't allow for unsafe-inline to go through. So I suppose I can't use the full JQuery? – Carlos Hernandez Sep 21 '20 at 15:26
  • Not sure what "full jQuery" or "go through" means. Everyone uses jquery successfully without any CSP changes. They just don't load html with scripts as explained in my first comment. Please add your new CSP from manifest.json in the question or comment. And show the new error message if it's different. – wOxxOm Sep 21 '20 at 15:30
  • There's the normal JQuery and the slim JQuery build.. I don't know what to change CSP to, other than using "usafe-inline" but I know that's not supposed to work. – Carlos Hernandez Sep 21 '20 at 16:29
  • Ah, you can use normal jQuery in extensions. Just don't load html with scripts as explained in my first comment. And I'd still like to see your actual CSP from manifest.json because I'm not convinced it's correct. – wOxxOm Sep 21 '20 at 17:03

0 Answers0