I am building a chrome extension. When I test it locally, I can take some actions that cause a CSP violation:
Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src https://apis.google.com 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
However, my code does not have any inline javascript! The error console points to the first line of my HTML, namely <!DOCTYPE html>, as the culprit:
Stack Trace
html/popup.html:1 (anonymous function)
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=600, height=600, initial-scale=1.0">
<link rel="stylesheet" href="../css/bootstrap-3.3.7-dist/css/bootstrap.min.css">
<link rel="stylesheet" href="../css/font-awesome-4.7.0/css/font-awesome.min.css">
<script src="https://apis.google.com/js/api.js"></script>
<script src="../go/go.js"></script>
</head>
<body style="width: 500px; height: 600px">
<div> ...
There are no other <script> tags in the document. The go.js file is compiled from golang using gopherjs.
What is going on? How do I figure out what is causing this CSP violation?
<script src="https://apis.google.com/js/api.js"></script> this is the cause. In your manifest.json, try adding this:
"content_security_policy": "script-src 'self' 'unsafe-eval' https://apis.google.com; object-src 'self'",