这是我在尝试设置Google登录按钮时遇到的错误:
Refused to load the script 'https://apis.google.com/js/platform.js' because it violates the following Content Security Policy directive: "script-src 'self' https://ssl.google-analytics.com".
这是我的html标题:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="google-signin-client_id" content="898781594724-s0fh16gcroad2e37ds2q09r5qmoqpu73.apps.googleusercontent.com">
<!-- css file -->
<link rel="stylesheet" type="text/css" href="css/styleVidyo.css" />
<!-- javascript files -->
<script type="text/javascript" src="js/vidyoChromeExt.js"></script>
<!-- Developer code -->
<script type="text/javascript" src="js/jquery-1.9.1.min.js"></script>
<!-- Google analytics code -->
<script type="text/javascript" src="js/popup.js"></script>
<script src="https://apis.google.com/js/platform.js" async defer></script>
<!-- Opensource code -->
</head>
这是清单:
{
"update_url": "https://clients2.google.com/service/update2/crx",
"manifest_version": 3,
"omnibox": { "keyword" : "Send a Vidyo Invite" },
"name": "Send a Vidyo Invite",
"description": "Quickly send a Vidyo invite using Google Mail or Google Calendar",
"version": "2.0.2",
"icons": {
"16": "img/icon_16.png" ,
"48": "img/icon_48.png" ,
"128": "img/icon_128.png"
},
"content_scripts": [{
"matches": ["*://mail.google.com/*", "*://accounts.google.com/*", "*://www.google.com/calendar/*", "*://calendar.google.com/*"],
"js": ["js/jquery-2.0.3.min.js", "js/vidyoCalendar.js", "js/dateFormat.js"],
"css": ["css/ui.css"],
"run_at": "document_end"
}],
"homepage_url": "http://www.vidyo.com",
"content_security_policy": "script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com; object-src 'self'",
"permissions": [
"cookies",
"tabs",
"*://*.google.com/*",
"http://*/*",
"https://*/*",
"notifications",
"contentSettings",
"identity"
],
"web_accessible_resources": [
"js/jquery-1.9.1.min.js",
"js/vidyoChromeExt.js",
"vidyoChromeExt.html",
"js/jquery-2.0.3.min.map",
"img/icon_48.png",
"img/icon_16.png"
],
"background": {
"scripts": ["js/eventPage.js"]
},
"browser_action": {
"default_title": "Send a Vidyo Invite",
"default_icon": "img/icon_128.png",
"default_popup": "vidyoChromeExt.html"
}
}
PS:我编辑了content_security_policy行:
"content_security_policy": "script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com https://apis.google.com/js/platform.js; object-src 'self'",
现在我收到了这个错误:
platform.js:7 Refused to load the script 'https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.en.5Qa4K6bqWYU.O/m…sv=1/d=1/ed=1/am=AQ/rs=AGLTcCNyN716KFiep1ch6_hoUSsIDwsHUA/cb=gapi.loaded_0' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com https://apis.google.com/js/platform.js".
PPS:我确实设法让它加载脚本,并通过content_security_policy。但现在我收到了这个错误:
cb=gapi.loaded_0:155 Uncaught gapi.auth2.ExternallyVisibleError: Invalid cookiePolicy
任何想法?这是因为它是一个扩展吗? 我发现这可能会有所帮助:https://github.com/google/google-api-javascript-client/issues/64 但到目前为止。没有用的
答案 0 :(得分:0)
我引用:
..因为它违反了以下内容安全策略指令:
"script-src 'self' https://ssl.google-analytics.com"
从你的清单中来看:
"content_security_policy":
"script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com; object-src 'self'",
这与https://apis.google.com来源不匹配,因此确实what CSP is supposed to do:拒绝执行。
在Chrome扩展程序中阅读Content Security Policy,并修改CSP以允许来源,而不是单个脚本(因为Google API会将更多脚本作为模块加载,而您不知道提前输入网址。)