Content Security Policy in Chrome App

Question

My Chrome app has the following manifest:

{
    \"name\": \",
    \"version\": \"1.0.3\",
    \"manifest_version\": 2,
    \"description\": \"Chrome Extensio         


        

Answer 1

What you're showing is not a Chrome extension, but a Chrome app.
Chrome extensions will let you relax the default Content Security Policy; Chrome Apps won’t. (source: CSP docs for Chrome apps; note: this page is different from CSP docs for Chrome extensions).

The next line applies to apps and extensions:

• The Content security policy does not apply to a specific script, but a whole page. So, you can only declare a sandbox for a whole page (using the sandbox.pages key in the manifest file). You cannot use "js" as a key in sandbox.

In a Chrome extension, the CSP can be relaxed, e.g. allowing eval using the following policy:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

To turn your app in an extension: Do not use the apps key, but use a background key. With the following manifest, you'll be able to use eval in your background page:

{
    "name": "Whatever",
    "version": "1.0.3",
    "manifest_version": 2,
    "background": {
        "scripts": [
            "background.js"
        ]
    },
    "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}

(omitted icons / permissions because they're not relevant for the example; omitted sandbox because it's not needed)

Answer 2

Have you tried adding the CSP line to your manifest as per your CSP link?

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"