0

I'm making Chrome extention and used following code there:

var wnd = window.open()
wnd.document.write("<script>console.log(123)</script>")

When I run it new tab is opend but the script is not executed due to error

(unknown) Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem:". Either the 'unsafe-inline' keyword, a hash ('sha256-HNzGVZJz/a6AgeYzhJ2eI5ogYei3YBUxeYiDI0NUpyU='), or a nonce ('nonce-...') is required to enable inline execution.

I have no idea how I should specify unsafe-inline in window.open.

Extension manifest if it matters:

{
  "manifest_version": 2,
  "name": "My ext",
  "version": "1",

  "description": "My ext",
  "icons": {},

  "background": {
    "persistent": true,
    "scripts": ["background.js"]
  },

  "permissions": ["cookies", "http://*/*", "https://*/*", "tabs"]
}
Qwertiy
  • 14,618
  • 9
  • 41
  • 96
  • Extension pages disallow inline JS [by default](https://stackoverflow.com/questions/13591983/onclick-or-inline-script-isnt-working-in-extension). It's better to use another approach: [Pass data or modify extension html in a new tab/window](https://stackoverflow.com/a/54715122) – wOxxOm Mar 02 '21 at 15:48
  • @wOxxOm, note that I'm trying to inline script into normal tab page (`about:blank`) not into the page that is a part of extention. – Qwertiy Mar 02 '21 at 15:53
  • Yes, and the method I suggest is the arguably better alternative that can do everything you want differently. – wOxxOm Mar 02 '21 at 16:03
  • @wOxxOm, I don't understand what exactly you suggest. I see no single way to add a script into opened page without making all scripts running in context of extention instead of context of the page. – Qwertiy Mar 02 '21 at 16:15
  • 1
    Looks like I guessed your objective incorrectly, I thought you want just to show some results in the new page. Well, you can still try to use the first link to relax the CSP as evidently the new window inherits the extension's CSP. – wOxxOm Mar 02 '21 at 16:28
  • @wOxxOm, nice catch, found an interesting workaround. – Qwertiy Mar 02 '21 at 17:12

1 Answers1

0

If markup of the page is not very lage, page can be opened using data-uri:

var html = `<script>console.log(123)</script>`

chrome.tabs.create({
  active: true,
  url: "data:text/html," + encodeURIComponent(html)
}, tab => {})
Qwertiy
  • 14,618
  • 9
  • 41
  • 96