Content Security Policy in Chrome App
Have you tried adding the CSP line to your manifest as per your CSP link?
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
What you're showing is not a Chrome extension, but a Chrome app.
Chrome extensions will let you relax the default Content Security Policy; Chrome Apps won’t. (source: CSP docs for Chrome apps; note: this page is different from CSP docs for Chrome extensions).
The next line applies to apps and extensions:
- The Content security policy does not apply to a specific script, but a whole page. So, you can only declare a sandbox for a whole page (using the
sandbox.pages
key in the manifest file). You cannot use "js" as a key in sandbox.
In a Chrome extension, the CSP can be relaxed, e.g. allowing eval
using the following policy:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
To turn your app in an extension: Do not use the apps
key, but use a background
key. With the following manifest, you'll be able to use eval
in your background page:
{ "name": "Whatever", "version": "1.0.3", "manifest_version": 2, "background": { "scripts": [ "background.js" ] }, "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"}
(omitted icons
/ permissions
because they're not relevant for the example; omitted sandbox
because it's not needed)