Question

这是我的Chrome扩展程序。

"permissions": [
"storage",
"https://app.socialschools.nl/*",
"http://*.google.com/", // Refer to http://goo.gl/CPeqK http://goo.gl/U3Vev
"bookmarks", // http://code.google.com/chrome/extensions/bookmarks.html
"chrome://favicon/",
"clipboardRead", // document.execCommand('paste').
"clipboardWrite", // document.execCommand('copy' OR 'cut')
"contextMenus", //http:///code.google.com/chrome/extensions/contextMenus.html
"cookies", // http://code.google.com/chrome/extensions/cookies.html
// "experimental", // http://code.google.com/chrome/extensions/dev/experimental.html
"fileBrowserHandler", // http://goo.gl/GqbrP
"geolocation", // http://dev.w3.org/geo/api/spec-source.html
"history", // http://code.google.com/chrome/extensions/history.html
"idle", // http://code.google.com/chrome/extensions/idle.html
"management", // http://code.google.com/chrome/extensions/management.html
"notifications", // code.google.com/chrome/extensions/notifications.html
"tabs", // http://code.google.com/chrome/extensions/tabs.html +windows.html
"tts", // http://code.google.com/chrome/extensions/tts.html
"ttsEngine", // http://code.google.com/chrome/extensions/ttsEngine.html
"unlimitedStorage"
],

"content_security_policy":"script-src 'unsafe-eval' https://apps.socialschools.nl/;object-src 'self';connect-src https://app.socialschools.nl/",

我在script-src，permissions和connect-src中添加了API url（https://app.socialschools.nl）。不过，我收到了这个错误：

Refused to load the script 'https://app.socialschools.nl/apiv1/public/924/post/?callback=jQuery16200253…109_1398087409246&only_descendants=false&number_of_items=5&_=1398087409299' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' https://apps.socialschools.nl/".

我似乎无法理解我在这里缺少的东西？有人可以帮我解决这个问题。

提前致谢。

Answer 1

我发现API尚不支持HTTPS，CSP的script-src需要HTTPS来支持外部资源。因此，内容安全政策存在问题。

Chrome扩展程序中的内容安全政策问题

1 个答案: