Vue.js in Chrome extension Vue.js in Chrome extension vue.js vue.js

Vue.js in Chrome extension


javascript google-chrome google-chrome-extension vue.js

Have you csp version (Vue.js v1)

CSP-compliant build

Some environments, such as Google Chrome Apps, enforces Content Security Policy (CSP) and does not allow the use of new Function() for evaluating expressions. In these cases you can use the CSP-compliant build instead.

(Vue.js v1) http://v1.vuejs.org/guide/installation.html#CSP-compliant-build

npm install vue@csp --save"dependencies": {  "vue": "1.0.26-csp"}

New version (Vue.js v2) https://vuejs.org/v2/guide/installation.html#CSP-environments

Some environments, such as Google Chrome Apps, enforce Content Security Policy (CSP), which prohibits the use of new Function() for evaluating expressions. The standalone build depends on this feature to compile templates, so is unusable in these environments.

There is a solution however. When using Vue in a build system with Webpack + vue-loader or Browserify + vueify, your templates will be precompiled into render functions which work perfectly in CSP environments.

javascript google-chrome google-chrome-extension vue.js

I guess you were using code like new Vue(...) in your implementation, as this issue said.

Please be aware by default CSP in chrome extension, eval and related functions are disabled.

Code like the following does not work:

  • alert(eval("foo.bar.baz"));
  • window.setTimeout("alert('hi')", 10);
  • window.setInterval("alert('hi')", 10);
  • new Function("return foo.bar.baz");

So the solution would be

1. Relaxing the default policy.

As per the description of Evaluated JavaScript,

The policy against eval() and its relatives like setTimeout(String), setInterval(String), and new Function(String) can be relaxed by adding 'unsafe-eval' to your policy:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

However, the guide also mentions that,

we strongly recommend against doing this. These functions are notorious XSS attack vectors.

2. Using CSP-compliant build.(Recommended)

As the installation page of Vue.js said,

Some environments, such as Google Chrome Apps, enforces Content Security Policy (CSP) and does not allow the use of new Function() for evaluating expressions. In these cases you can use the CSP-compliant build instead.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last