i'm having trouble loading external js file in chrome extension. here's csp entry in manifest:
"content_security_policy": "script-src 'self' 'unsafe-eval' 'unsafe-inline' http://proto.office.atlassian.com; object-src 'self'" here's how i'm calling script in popup.html:
<script src="http://proto.office.atlassian.com/prototypes.js"></script> and here's error i'm getting:
refused load script 'http://proto.office.atlassian.com/prototypes.js' because violates following content security policy directive: "script-src 'self'" i've confirmed cors set correctly server, , can pull script via xmlhttprequest fine, can't seem load 1 via script tag or eval once grab it. appreciated :)
external script must explicitly allowed content security policy in manifest.
if have need external javascript or object resources, can relax policy limited extent whitelisting secure origins scripts should accepted...
a relaxed policy definition allows script resources loaded example.com on https might like:
"content_security_policy":"script-src 'self' https://example.com; object-src 'self'" scripts can loaded extension on https, must load jquery cdn resource on https:
<script src="https://ajax.googleapis.com/..."></script> { "manifest_version": 2, "name": "one-click kittens", "description": "this extension demonstrates 'browser action' kittens.", "version": "1.0", "browser_action": { "default_icon": "icon.png", "default_popup": "popup.html" }, "content_security_policy": "script-src 'self' https://ajax.googleapis.com; object-src 'self'" } 