问题
I'm trying to create a Chrome packaged app from a complicated web app. I'm currently getting the error:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
How do I explicitly set the policy in my manifest.json? I've tried things like:
"content_security_policy": "default-src 'inline'; script-src 'inline'"
but I still get the same error message. Is my syntax wrong, or is the error a red herring?
回答1:
You can't loosen the default CSP in a packaged app. If you're doing something like <button id="foo" onclick="doSomething()"> then you should instead include a separate JS file in the HTML where you do a document.querySelector("#foo").onclick = doSomething; in your onload handler. This will comply with CSP and make your app more resistant to XSS attacks.
回答2:
I faced the same problem, and I while reading this document I found the following:
"sandbox": {
"pages": ["sandboxed.html"]
}
来源:https://stackoverflow.com/questions/16625560/how-to-set-script-src-in-a-chrome-packaged-app