问题
Using jQuery 1.10.2 and jQuery Mobile 1.3.2 I am trying to create a chrome packaged app with the following simple html...
<!DOCTYPE html>
<html>
<body>
<div data-role="page">
<script async src="events.js" type="text/javascript"></script>
</div>
</body>
</html>
There are two problems. The first is that jQuery will intercept the script tag loading events.js and makes the call xhr.open( s.type, s.url, s.async ); however s.async is false. Chrome packaged apps do not allow synchronous loading. So before this line in jQuery i set s.async = true;
The next problem is that jquery will call its globalEval method on each script on first document insertion and this calls eval which produces this CSP error with the chrome packaged app:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:".
One solution might be sandboxing (add the html page in the manifest) however this causes another problem: XMLHttpRequest cannot load chrome-extension://ocnbknafegfhcgbiciegbfndjckamkoj/events.html. Origin null is not allowed by Access-Control-Allow-Origin. The server has "Access-Control-Allow-Origin", "*" so i wouldn't expect this error.
So, is the first sync error a jquery problem? Is the second problem also jquery/chrome packaged app mismatch? Is there are workaround for CSP? Is there a way to sandbox but allow navigation between pages?
回答1:
As you mentioned, you can't use globalEval in Chrome packaged apps because of the Content Security Policy (CSP). You also can't use in line script tags as the CSP views that as a security risk as well.
You are on the right track with sandboxing your non-CSP complaint HTML and JS, but in order to make the XHR requests, you need to use the messaging service between windows to get rid of the Origin error.
Take a look at the following url wich has documentation on how to handle cross-origin requests: http://developer.chrome.com/apps/app_external.html#cross-origin
来源:https://stackoverflow.com/questions/19365017/chrome-packaged-apps-not-working-with-jquery-and-jquery-mobile