如何解决铬扩展内嵌JavaScript调用错误？ [英] How to fix chrome-extension inline JavaScript invocation error?

问题描述

我正在做一个Chrome扩展，但是当我尝试启动一个onclick（）事件时，似乎出现以下错误。

 拒绝加载脚本'https://apis.google.com/js/client.js?onload=handleClientLoad'因为它违反了以下内容安全策略指令：script-src'self'blob：filesystem：chrome-extension-resource：
  

和

 拒绝执行内联事件处理程序，因为它违反了以下内容安全策略指令：脚本-src'self'blob：filesystem：chrome-extension-resource：。 内联不安全关键字，散列（'sha256 -...'）或一个随机数（'nonce -...'）是启用内联执行所必需的。 
  

这是我的manifest.json：

 {
manifest_version：2，
 
name：SECURE，
description： GMAIL用户通讯，
版本：1.0，
 
browser_action：{
default_icon：resources / icon16.png，
default_popup：popup.html，
default_title：点击这里！ 
 
 
，
 
background：{
scripts：[background.js] 
}，
 
content_scripts：[
 {
matches：[http：// * / *，https：// * / *]，
 js：[myscript.js]，
run_at：document_end
} 
]，
permissions：[identity，https： https://www.googleapis.com/*]，
 
oauth2：{
client_id：975410329966。 apps.googleusercontent.com，
范围：[
<所有网址>，
https://www.googleapis.com/auth/drive，
https://mail.google.com/，
https://www.googleapis.com/auth/gmail.login，
https：//www.googleapis。 com / auth / gmail.compose，
https://www.googleapis.com/auth/gmail.readonly，
https://www.googleapis.com/auth/gmail。发送 
]，
 
 content_security_policy： 脚本的src '自我''不安全内联 '不安全的eval' https://apis.google.com/js/client。 js ?; object-src'self'
 
 
} 
} 
  

任何帮助解决这个错误都将非常感激。

解决方案

默认情况下内容安全策略，内联脚本将不会被加载，只能加载本地脚本。您可以通过以下方式放宽默认政策：

1. 内联脚本。看看官方指南，内嵌脚本可以通过指定的白名单策略中源代码的base64编码散列。请参阅元素的散列使用情况一个例子。

   
   
   

   但我认为更好的方法是将此逻辑提取到单独的脚本并且不使用内联脚本。




2. 远程脚本。您可以通过清单中的以下部分将脚本资源列入白名单 https://apis.google.com/js/client.js?onload=handleClientLoad 。 json

    content_security_policy：script-src'self'https://apis.google .com; object-src'self'
     

   另外，我相信更好的方法可以正在下载远程 client.js 并将其包含为本地脚本。
   $ b

   请注意按照联脚本的描述， unsafe-inline 不再有效。
   
   

   
   

   45，没有放松对内嵌JavaScript执行限制的机制。特别是，强制使用包含'不安全内联'的脚本策略将不起作用。

   
   

   
   

   I'm making a chrome extension however I seem to get the following error when I try to fire up an onclick() event.

   Refused to load the script 'https://apis.google.com/js/client.js?onload=handleClientLoad' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:"
   

   and

   Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
   

   This is my manifest.json :

   {
     "manifest_version": 2,
   
     "name": "SECURE",
     "description": "this extension offers secure communication for GMAIL     users",
     "version": "1.0",
   
    "browser_action": {
    "default_icon": "resources/icon16.png",
    "default_popup": "popup.html",
    "default_title": "Click here!"
   
   
    },
   
    "background":{
      "scripts":["background.js"]
   },
   
    "content_scripts": [
     {
      "matches": ["http://*/*", "https://*/*"],
      "js":["myscript.js"],
      "run_at": "document_end"
     }
     ],
   "permissions": ["identity", "https://accounts.google.com/*",  "https://www.googleapis.com/*"],
   
   "oauth2": {
      "client_id": "975410329966.apps.googleusercontent.com",
    "scopes": [
      "<all urls>",
      "https://www.googleapis.com/auth/drive",
      "https://mail.google.com/",
      "https://www.googleapis.com/auth/gmail.login",
      "https://www.googleapis.com/auth/gmail.compose",
      "https://www.googleapis.com/auth/gmail.readonly",
      "https://www.googleapis.com/auth/gmail.send"
     ],
   
    "content_security_policy":"script-src 'self'  'unsafe-inline' 'unsafe eval'  https://apis.google.com/js/client.js?; object-src 'self'"
   
   
   }
   }
   

   Any help towards fixing this error would greatly be appreciated.

   解决方案

   By default Content Security Policy, inline scripts won't be loaded and only local script can be loaded. You could relax the default policy by:

   1. Inline Script. Take a look at Official Guide, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. See Hash usage for elements for an example.

      But I believe a better way would extract this logic to a separate script and not use inline script.

   2. Remote Script. You could whitelist script resources https://apis.google.com/js/client.js?onload=handleClientLoad by the following section in manifest.json

      "content_security_policy":"script-src 'self' https://apis.google.com; object-src 'self'"
      

      Also, I believe a better way could be downloading the remote client.js and include it as a local script.

   Please be aware as per the description of Inline Script, unsafe-inline no longer works.

   Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.

   这篇关于如何解决铬扩展内嵌JavaScript调用错误？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！