How to fix chrome-extension inline JavaScript invocation error?
By default Content Security Policy, inline scripts won't be loaded and only local script can be loaded. You could relax the default policy by:
Inline Script. Take a look at Official Guide, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. See Hash usage for elements for an example.
But I believe a better way would extract this logic to a separate script and not use inline script.
Remote Script. You could whitelist script resources
https://apis.google.com/js/client.js?onload=handleClientLoad
by the following section inmanifest.json
"content_security_policy":"script-src 'self' https://apis.google.com; object-src 'self'"
Also, I believe a better way could be downloading the remote
client.js
and include it as a local script.
Please be aware as per the description of Inline Script, unsafe-inline
no longer works.
Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.
I solved this by outsourcing everything into the JavaScript file.So instead of the onclick method in the html I have in the JS file:
window.onload = function () { document.getElementById("button").onclick = <function>;}
You can use this instead of onclick in an external file:
document.getElementById("#divId").addEventListener("click", myFunction);