Content Security Policy issue

[zenzjtech]

Hello,

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-GgRxrVOKNdB4LrRsVPDSbzvfdV4UqglmviH9GoBJ5jk='". Either the 'unsafe-inline' keyword, a hash ('sha256-N/tHXVVQthcO77tcS7VT2tmLWxdumYi73F87h+hd5s0='), or a nonce ('nonce-...') is required to enable inline execution.

My manifest.json - I tried both hashes: the default one, and the suggested in the error message, but none of them work.

{
  "name": "My Extension",
  "version": "1.0",
  "manifest_version": 2,
  "browser_action": {
    "default_popup": "index.html"
  },
  "content_security_policy": "script-src 'self' 'sha256-N/tHXVVQthcO77tcS7VT2tmLWxdumYi73F87h+hd5s0='; object-src 'self'"
}

[zenzjtech]

@satendra02 : I forgot to build after updating to the suggested hash. Just rebuild and now it work!

[zenzjtech]

Is there a away to fix the issue that whenever extension is rebuilt, then a new hash is required for manifest.json?
The extension keep signaling the above error.

[satendra02]

Hi @zenzjtech

If you are using any inline script in index.html

The Hash generated in the console will be the same if there is no change in the script block code every time you build.

For more read this article.
https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

---

You can remove that hash if you are not using any external js in index.html using <script src="..."> tag.

"content_security_policy": "script-src 'self'; object-src 'self'"

---

If you are using any external script like below inside your index.html. Suppose script resources to be loaded from example.com over HTTPS

<script src="https://example.com/js/library.js"></script>

A relaxed policy definition looks like:

"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

---

If all the above is not the case then do these steps and let me know if it works.

1. Create a .env file in the project root
2. Add variable as follows: INLINE_RUNTIME_CHUNK=false
3. Build the project again and load the extension again.

I hope it helps!

---

For more read below for relaxing CSP:

https://developer.chrome.com/extensions/contentSecurityPolicy

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script