content security policy issue with chrome extension

Question

Trying to load different contents(can be pdf, swf etc.) in an 'iframe' through javascript in an chrome extension application. The content is loaded using the data URL scheme as :

// this javascript is registered in the html file and the LoadFunction is registered inside the DOMContentLoaded event on the click of a button.

void LoadFunction()
{
window.parent.document.getElementById("page_data").src = 'data:application/pdf;base64,'    + 'base64 encoded data'; (base64 data is received from a c++ class)
}

but as soon as above function is called, a content security policy error is raised as :

Refused to load plugin data from 'data:application/pdf;base64,JVBERi0xLjQNCiXi48/TDQoxIDAgb2JqDQo8PA0KL1R5cGU…mRvYmoNCjkgMCBvYmoNCjw8DQovVHlwZSAvRm9udA0KL1N1YnR5cGUgL1R5cGUxDQovQmFzZUZ' because it violates the following Content Security Policy directive: "default-src 'self'

But surprisingly this error is NOT raised when the data url is changed to : 'data:image/png;base64,' + 'base64 encoded data'; and the image gets loaded into iframe successfully.

As far as i know, this error is raised only when inline code is executed directly into html file but this isn't the case here and if that is the case then why it does not gets raised for image files.

Also if i try setting the content security policy in the manifest.json file as : "content_security_policy": "script-src 'self'; object-src 'self' ; frame-src 'self' data:"

then the error changes to : Refused to load plugin data from 'data:application/pdf;base64,' because it violates the following Content Security Policy directive: "object-src 'self'

so probably object-src needs to be set, but not sure what it should be.

Answer 1

According to the documentation of the Chrome extension's Content Security Policy,

Note that both script-src and object-src are defined by the policy. Chrome will not accept a policy that doesn't limit each of these values to (at least) 'self'.

It is not possible to relax your extemsion's CSP to accept the PDF.
However...

You can define a sandboxed extension resource, i.e. a page within your extension that is not affected by the extension's CSP. At the same time, the page will lose its access to the Chrome extension API, to protect against security vulnerabilities in your page. If you wish to communicate between your extension and the sandboxed page, use postMessage - e.g. as shown at Using eval in Chrome Extensions. Safely..