Refused to execute inline script because it violates the following Content Security Policy directive: “script-src 'self'”

问题:

Im creating a chrome extension for Rss reader in that im getting the above error. please help

manifest.json

{     "name": "Tutorialzine Extension",         "manifest_version": 2,         "version": "1.1",         "description": "Making your first Google Chrome extension.",         "icons": {         "128": "icon_128.png"     },         "web_accessible_resources": ["script.js", "https://query.yahooapis.com"],         "browser_action": {         "default_icon": "icon.png",             "default_popup": "tutorialzine.html"     },         "permissions": ["tabs", "<all_urls", "http://localhost/",         "http://*/*", "https://*/*", "https://query.yahooapis.com"],         "content_security_policy": "script-src 'self'; 'https://query.yahooapis.com';unsafe-inline; object-src 'self'" } 

script.js

$(document).ready(function () {      var query = "SELECT * FROM feed WHERE url='http://feeds.feedburner.com/Tutorialzine' LIMIT 2";      // Storing the seconds since the epoch in now:     var now = (new Date()).getTime() / 1000;      // If there is no cache set in localStorage, or the cache is older than 1 hour:     if (!localStorage.cache || now - parseInt(localStorage.time) > 1 * 60 * 60) {         $.get("yahoo.js", function (msg) {              // msg.query.results.item is an array:             var items = msg.query.results.item;             var htmlString = "";              for (var i = 0; i < items.length; i++) {                 var tut = items[i];                  // Extracting the post ID from the permalink:                 var id = tut.guid.content.match(/(\d+)$/)[0];                  // Looping and generating the markup of the tutorials:                  htmlString += '<div class="tutorial">\                             <img src="http://tutorialzine.com/img/posts/' + id + '.jpg" />\                             <h2>' + tut.title + '</h2>\                             <p>' + tut.description + '</p>\                             <a href="' + tut.link + '" target="_blank">Read more</a>\                             </div>';             }              // Setting the cache             localStorage.cache = htmlString;             localStorage.time = now;              // Updating the content div:             $('#content').html(htmlString);         }, 'json');     } else {         // The cache is fresh, use it:         $('#content').html(localStorage.cache);     } } 

Error in jquery.min.js:

Jquery.min.js contains inline script what to do

parentNode:d.removeChild(d.appendChild(s.createElement("div"))).parentNode===null,deleteExpando:true,checkClone:false,scriptEval:false,noCloneEvent:true,boxModel:null};b.type="text/javascript";try{b.appendChild(s.createTextNode("window."+f+"=1;"))}catch(i){}a.insertBefore(b,a.firstChild);if(A[f]){c.support.scriptEval=true;delete A[f]}try{delete b.test}catch(o){c.support.deleteExpando=false}a.removeChild(b);if(d.attachEvent&&d.fireEvent){d.attachEvent("onclick",function k(){c.support.noCloneEvent= 

回答1:

I also faced such type of problem when working with LinkedIn oAuth API.

I was using linkedIn API with following settings for cordova

config.xml

 <access origin="*" launch-external="yes"/>   <allow-navigation href="*" /> 

Meta Tag was

 <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> 

Script

<script type="text/javascript" src="http://platform.linkedin.com/in.js"></script> 

When i run the application on emulator its giving

Fixed Problem to add uri into meta tag http://platform.linkedin.com like

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://platform.linkedin.com "> 

文章来源: Refused to execute inline script because it violates the following Content Security Policy directive: “script-src 'self'”