Use eval() in a Chrome chrome-extension:// page -


i know may me being stupid, in chrome tab has page loaded url begins chrome-extension://, can scripts online or use eval();? know browser or page actin oopups or app windows can't use it. part of extension opens normal new tab page uses eval();.

all pages running @ chrome-extension:// origin subject default content security policy described here, specifically:

script-src 'self'; object-src 'self' 

a popup considered such page, too, invisible background page. if open file extension, subject too.

you can either:

  • relax (or tighten) default policy pages manifest:

    "content_security_policy": "[policy string goes here]" 

    this way can allow eval , friends adding 'unsafe-eval' script-src.

    you can allow loading external scripts adding origin policy; however, https origins allowed mitm protection reasons.

    however, it's important remember 'unsafe-inline' ignored regardless of custom policy.

  • relax (or tighten) default policy specific page declaring sandboxed.

    "sandbox": {   "pages": [     "page1.html",     "directory/page2.html"   ]   // content_security_policy optional.   "content_security_policy":       "sandbox allow-scripts; script-src https://www.google.com" ], 

    sandboxed csp can more permissive, still there couple of restrictions.

    the price of sandboxing losing access chrome api. sandboxed script has communicate via dom messages privileged pages privileged things.

    there's guide in documentation, "using eval in chrome extensions. safely."


for apps, situation bit different. again, default (and more restrictive) csp applies, you cannot modify in manifest.

sandboxing approach still works, though.


Popular posts from this blog

c# - ODP.NET Oracle.ManagedDataAccess causes ORA-12537 network session end of file -

matlab - Compression and Decompression of ECG Signal using HUFFMAN ALGORITHM -

utf 8 - split utf-8 string into bytes in python -