Chrome应用中的内容安全政策 [英] Content Security Policy in Chrome App

问题描述

我的Chrome应用具有以下清单：

  {
name：，
 版本：1.0.3，
manifest_version：2，
description：Chrome扩展名为。，
图标：{
16 ：images / test.png，
19：images / test.png，
256：images / test.png
}，
app：{
background：{
scripts：[
background.js
] 
} 
}，
 
sandbox：{
js：[
lib / test-api.js
] 
}，
权限：[
< all_urls>，
notifications，
storage，
videoCapture
] 
} 
  

我有一个运行 eval 的脚本文件。已阅读有关 CSP 和沙盒，但我仍然得到是错误：
$ b

拒绝将字符串评估为JavaScript，因为'unsafe-eval'是
不是脚本允许的源代码以下Content Security
Policy指令：default-src'self'chrome-extension-resource：。
请注意'script-src'没有明确设置，所以'default-src'是
作为后备。

您是否尝试将CS​​P行添加到清单中，如 CSP 链接？

 content_security_policy：script-src'self''unsafe-eval '; object-src'self'
  

My Chrome app has the following manifest:

{
    "name": ",
    "version": "1.0.3",
    "manifest_version": 2,
    "description": "Chrome Extension for.",
    "icons": {
        "16": "images/test.png",
        "19": "images/test.png",
        "256": "images/test.png"
    },
    "app": {
        "background": {
            "scripts": [
                "background.js"
            ]
        }
    },

    "sandbox": {
        "js": [
            "lib/test-api.js"
        ]
    },
    "permissions": [
        "<all_urls>",
        "notifications",
        "storage",
        "videoCapture"
    ]
}

I have a script file that runs eval. I have read about CSP and sandboxing, but I still get this error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

解决方案

Have you tried adding the CSP line to your manifest as per your CSP link?

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

这篇关于Chrome应用中的内容安全政策的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！