Search code examples
javascriptgoogle-chrome-appcontent-security-policy

Chrome app content security policy not leting to run eval() even after made changes in manifest.json

I'm developing a Chrome App with Google Blockly. In order to run JavaScript code dynamically I want to use eval() function.

Chrome app relaxing the default policy using manifest

I tried the above link. I used this manifest as suggested by chrome docs.

manifest.json

{
  "manifest_version": 2,
  "name": "Blockly",
  "version": "1.0.0",
  "icons": {
    "128": "icon_128.png"
  },
  "permissions": [],
  "app": {
    "background": {
      "scripts": ["background.js"]
    }
  },
  "minimum_chrome_version": "46",
  "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}

inject.js

window.addEventListener("load", function() {
 document.getElementById("myBtn").addEventListener("click", function() {
  let code = 'initiate();';
  try {
    eval(code);
   } catch (e) {
     console.log(e); 
  }
 });
});

I am still getting this error :

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: filesystem: 'wasm-eval'".

at HTMLButtonElement. (inject.js:40)

Solution

  • I found answer

    Content Security Policy in Chrome App

    Chrome extensions will let you relax the default Content Security Policy; Chrome Apps won’t.