如何修复 chrome-extension 内联 JavaScript 调用错误? [英] How to fix chrome-extension inline JavaScript invocation error?

问题描述

我正在制作一个 chrome 扩展，但是当我尝试启动 onclick() 事件时，我似乎收到以下错误.

I'm making a chrome extension however I seem to get the following error when I try to fire up an onclick() event.

Refused to load the script 'https://apis.google.com/js/client.js?onload=handleClientLoad' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:"

和

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

这是我的 manifest.json :

This is my manifest.json :

{
  "manifest_version": 2,

  "name": "SECURE",
  "description": "this extension offers secure communication for GMAIL     users",
  "version": "1.0",

 "browser_action": {
 "default_icon": "resources/icon16.png",
 "default_popup": "popup.html",
 "default_title": "Click here!"


 },

 "background":{
   "scripts":["background.js"]
},

 "content_scripts": [
  {
   "matches": ["http://*/*", "https://*/*"],
   "js":["myscript.js"],
   "run_at": "document_end"
  }
  ],
"permissions": ["identity", "https://accounts.google.com/*",  "https://www.googleapis.com/*"],

"oauth2": {
   "client_id": "975410329966.apps.googleusercontent.com",
 "scopes": [
   "<all urls>",
   "https://www.googleapis.com/auth/drive",
   "https://mail.google.com/",
   "https://www.googleapis.com/auth/gmail.login",
   "https://www.googleapis.com/auth/gmail.compose",
   "https://www.googleapis.com/auth/gmail.readonly",
   "https://www.googleapis.com/auth/gmail.send"
  ],

 "content_security_policy":"script-src 'self'  'unsafe-inline' 'unsafe eval'  https://apis.google.com/js/client.js?; object-src 'self'"


}
}

对于修复此错误的任何帮助将不胜感激.

Any help towards fixing this error would greatly be appreciated.

推荐答案

默认内容安全策略，内联脚本不会被加载，只能加载本地脚本.您可以通过以下方式放宽默认策略:

By default Content Security Policy, inline scripts won't be loaded and only local script can be loaded. You could relax the default policy by:

1. 内联脚本.看看官方指南，内联脚本可以通过指定策略中源代码的 base64 编码哈希.请参阅元素的哈希用法一个例子.

1. Inline Script. Take a look at Official Guide, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. See Hash usage for elements for an example.

但我相信更好的方法是将此逻辑提取到单独的脚本中，而不是使用内联脚本.

远程脚本.您可以通过 manifest.json

Remote Script. You could whitelist script resources https://apis.google.com/js/client.js?onload=handleClientLoad by the following section in manifest.json

"content_security_policy":"script-src 'self' https://apis.google.com; object-src 'self'"

另外，我相信更好的方法是下载远程 client.js 并将其作为本地脚本包含进来.

Also, I believe a better way could be downloading the remote client.js and include it as a local script.

请注意内联脚本的说明，unsafe-inline 不再有效.

Please be aware as per the description of Inline Script, unsafe-inline no longer works.

在 Chrome 45 之前，没有机制可以放宽对执行内联 JavaScript 的限制.特别是，设置包含unsafe-inline"的脚本策略将不起作用.

Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.

这篇关于如何修复 chrome-extension 内联 JavaScript 调用错误?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！