Extension refuses to load the script due to Content Security Policy directive

Asked 16/9, 2014 at 11:29 Answered 13/6, 2018 at 12:20

Solved jquery google-chrome google-chrome-extension content-security-policy

Following is my code of HTML

Scripts:

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
<script src="background.js"></script>

HTML:

      <button name="btnlogin" id="btnlogin">Login</button><br/><br/>

and following is js

$(document).ready(function(){
document.getElementById("#btnlogin").click(function(){
   alert("s");
 });
});

manifest file:

{
"manifest_version": 2,
"name": "One-click Kittens",
"description": "This extension demonstrates a 'browser action' with kittens.",
 "version": "1.0",
"browser_action": {
"default_icon": "icon.png",
"default_popup": "popup.html"
},
}

I found that when I run this code simply in browser than alert appears properly but when I run it as a chrome extension it gives me following errors.

Uncaught ReferenceError: $ is not defined

and

Refused to load the script 'http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js' because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".

I don't understand what are these errors. Please help me understanding the extension..

Thank you

Low answered 16/9, 2014 at 11:29 Comment(4)

It sounds like maybe you're following a guide on making old version 1 manifest extensions... $ is not defined means jquery wasn't loaded, and the second message is telling you the reason why jquery wasn't loaded. You should show us your manifest for the extension. Here are the docs for extension manifests: developer.chrome.com/extensions/manifest – Octavie 16/9, 2014 at 11:35

Just package jQuery in the extension. – Mitziemitzl 16/9, 2014 at 13:9

I have download jquery file and linked it to HTML page. That has got the thing working, But what about the update or migration of jquery? – Low 22/1, 2018 at 5:8

I think I will need to update jquery manually every time. – Low 10/4, 2019 at 6:9

In a Chrome extension, external script sources must be explicitly allowed by the extension's content security policy (CSP) in your manifest:

If you have a need for some external JavaScript or object resources, you can relax the policy to a limited extent by whitelisting secure origins from which scripts should be accepted...

A relaxed policy definition which allows script resources to be loaded from example.com over HTTPS might look like:
"content_security_policy":"script-src 'self' https://example.com; object-src 'self'"

Scripts can only be loaded into an extension over HTTPS, so you must load the jQuery CDN resource over HTTPS:

<script src="https://ajax.googleapis.com/..."></script>

And add a modified CSP to your manifest to allow that HTTPS resource:

{
    "manifest_version": 2,
    "name": "One-click Kittens",
    "description": "This extension demonstrates a 'browser action' with kittens.",
    "version": "1.0",
    "browser_action": {
        "default_icon": "icon.png",
        "default_popup": "popup.html"
    },
    "content_security_policy": "script-src 'self' https://ajax.googleapis.com; object-src 'self'"
}

And even better solution for your particular case, however, would be to include jQuery in your extension locally, instead of loading from the Internet (for example, your extension currently won't work offline). Simply include a copy of jQuery in your extension folder and refer to it with a relative path in your script tag. Assuming your jQuery library and HTML popup file are in the same subdirectory, simply do:

<script src="jquery-x.y.z.min.js"></script>

Gummous answered 16/9, 2014 at 12:15 Comment(8)

What if you have multiple urls you need to allow? I don't see any example of how to achieve that in the documentation. – Poolroom 20/9, 2015 at 20:51

@TheMuffinMan Just separate them by spaces. Note that the CSP is general Web standard that is borrowed by Chrome aops/extensions; you may have better luck looking for CSP docs/grammar in general. – Gummous 20/9, 2015 at 20:56

@Gummous I am using an API in a chrome extension which is served over http only. I am facing the same error. Could you provide your thought over this? API sample link: loklak.org/api/search.json?q=from%3Atwitter – Bourassa 17/12, 2016 at 19:20

@AdityaC It's been a while since I've done Chrome extension development, but I don't think there is a strict HTTPS requirement for non-script resources. Just add the domain to your permissions and fetch the JSON. You'll need to share your code (in a new question) and your specific error. – Gummous 17/12, 2016 at 21:42

Multiple URLs look like this: "content_security_policy":"script-src 'self' https://example.com https://anotherexample.com; object-src 'self'" – Weald 12/5, 2017 at 2:11

And make sure not to put a slash after the domain like I stupidly did... – Nickles 22/9, 2017 at 15:52

I've got jquery, bootstrap etc. in a local directory and everything works fine. But why is it better to use local vs. link to https CDN in CSP? – Several 20/11, 2017 at 18:42

any idea how to do this at "manifest_version": 3 ? – Sandwich 16/4, 2021 at 22:34

-7

<script nonce='<?= CSP::getNonce() ?>'>
var oldCreate = document.__proto__.createElement;
document.__proto__.createElement = function (elementName) {      
    var el = oldCreate.apply(this, arguments);
    if (elementName == "script") {           
        el.setAttribute('nonce', '<?= CSP::getNonce() ?>');
    }
    return el;
}
</script>

<script nonce='<?= CSP::getNonce()?>' type="text/javascript" src="/include/jquery.js"></script>

Dessiedessma answered 13/6, 2018 at 12:20 Comment(1)

This does not answer the question. It doesn't give any valuable information. And it uses different languages/libraries than those asked in the question. – Magnetite 18/11, 2019 at 10:7

Recommended topics

Hot tags