拒绝加载脚本,因为它违反了以下内容安全策略指令:“script-src'self'

时间:2013-07-16 06:19:06

标签: google-chrome google-chrome-extension google-chrome-app

  

我正在尝试开发一个chrome应用程序,其中我想显示一个自定义Rss提要但是不会加载提要和上面的显示错误。

     

显示错误详细信息

Refused to load the script
 'https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js'
 because it violates the following Content Security Policy directive:
 "script-src 'self'
 https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js".

     Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'
 https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js". 
 jquery.min.js:35

     Refused to load the script 'https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js'
 because it violates the following Content Security Policy directive:
 "script-src 'self'
 https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js".

     Refused to load the script 'http://ajax.googleapis.com/ajax/services/feed/load?v=1.0&num=2&output=json&q=http%3A%2F%2Fblog.tax2290.com%2Ffeed%2F&hl=en&callback=jsonp1373953012503'
 because it violates the following Content Security Policy directive:
 "script-src 'self'
 https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js".
  

的manifest.json

{
      "name": "Tax New 2290",
      "manifest_version": 2,
      "version": "1.1",
      "description": "Tax 2290",
    "web_accessible_resources": ["images/logo.png"],
      "icons": {
        "16": "icon16.png",
        "19":"icon19.png",
        "48": "icon48.png",
        "128": "icon128.png",
        "256": "icon256.png"
    },
     "browser_action":
    {
    "default_icon":"images/logo.png",
    "default_popup":"index.html"
    },

         "permissions": ["tabs", "<all_urls>","http://www.tax2290.com","http://*/*", "https://*/*","http://*.google.com/"],
        "content_security_policy": "script-src 'self' https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js; https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js; object-src 'self'"

    }
  

的index.html

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js"></script>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script type="text/javascript" src="images/feed.js"></script>
<link rel="stylesheet" href="images/style.css" type="text/css"  />
<title>Chrome Popup</title>
</head>
  

feed.js

        $(function() {
                var $items = $('#vtab>ul>li');
                $items.mouseover(function() {
                    $items.removeClass('selected');
                    $(this).addClass('selected');

                    var index = $items.index($(this));
                    $('#vtab>div').hide().eq(index).show();
                }).eq(0).mouseover();
            });


    $(document).ready(function () {  
       $('#divRss2').FeedEk({
            FeedUrl: 'http://blog.tax2290.com/feed/',
            MaxCount: 2,ShowDesc: true,
            ShowPubDate: true,
            DescCharacterLimit: 250
        });
    });


   > Please tel me how could avoid these errors and load the custom RSS feeds.

2 个答案:

答案 0 :(得分:2)

您的“content_security_policy”有几个问题。

1)首先,您应该删除1.4.1和1.9.1 jquery声明之间的分号。多个URL应该只用一个空格分隔,而不能用其他字符分隔。

2)第二个是您尝试加载此脚本“http://ajax.googleapis.com/ajax/services/feed/load?v=1.0&num=2&output=json&q=http%3A%2F%2Fblog.tax2290.com%2Ffeed%2F&hl=en&callback=jsonp1373953012503”,但您从未在CSP中允许这样做。

3)第三,似乎你需要允许内联脚本。

我会将您的“content_security_policy”更改为:

"content_security_policy": "script-src 'self' https://ajax.googleapis.com/ 'unsafe-inline'; object-src 'self'"

'unsafe-inline'应修复“拒绝执行内联脚本”错误。

https://ajax.googleapis.com/应该允许加载两个版本的jquery以及/ ajarx / services / feed / load URL。

答案 1 :(得分:1)

如果您构建打包的应用程序,则无法加载外部脚本。 您的应用程序必须嵌入每个脚本,样式或图像。

点击此链接以确保您遵循Chrome应用CSP规则:https://developer.chrome.com/extensions/contentSecurityPolicy