Content-Security-Policy error in google chrome extension making

javascript google-chrome google-chrome-extension content-security-policy

I am making a chrome extension that will open all links on a page in new tabs.

Here are my code files:

manifest.json

{
  "name": "A browser action which changes its icon when clicked.",
  "version": "1.1",
    "permissions": [
    "tabs", "<all_urls>"
  ],
 "browser_action": {     
    "default_title": "links",      // optional; shown in tooltip
    "default_popup": "popup.html"        // optional
  },
 "content_scripts": [
    {
    "matches": [ "<all_urls>" ],
      "js": ["background.js"]
    }
  ],
  "manifest_version": 2
}

popup.html

<!doctype html>
<html>
  <head>
    <title>My Awesome Popup!</title>
    <script>
function getPageandSelectedTextIndex() 
  { 
    chrome.tabs.getSelected(null, function(tab) { 
    chrome.tabs.sendRequest(tab.id, {greeting: "hello"}, function (response) 
    { 
        console.log(response.farewell); 
    }); 
   }); 
        } 
chrome.browserAction.onClicked.addListener(function(tab) { 
        getPageandSelectedTextIndex(); 
});
         </script>
  </head>
  <body>
    <button onclick="getPageandSelectedTextIndex()">
      </button>
  </body>
</html>

background.js

chrome.extension.onRequest.addListener(
  function(request, sender, sendResponse) {
    console.log(sender.tab ?
                "from a content script:" + sender.tab.url :
                "from the extension");
    if (request.greeting == "hello")
    updateIcon();  

});
function updateIcon() {
  var allLinks = document.links;
  for (var i=0; i<allLinks.length; i++) {
    alllinks[i].style.backgroundColor='#ffff00';

}
}

Initially I wanted to highlight all the links on the page or mark them in some way; but I get the error "Refused to execute inline script because of Content-Security-Policy".

When I press the button inside the popup, I get this error: Refused to execute inline event handler because of Content-Security-Policy.

Please help me fix these errors, so I can open all links in new tabs using my chrome extension.


Solution 1:

One of the consequences of "manifest_version": 2 is that Content Security Policy is enabled by default. And Chrome developers chose to be strict about it and always disallow inline JavaScript code - only code placed in an external JavaScript file is allowed to execute (to prevent Cross-Site Scripting vulnerabilities in extensions). So instead of defining getPageandSelectedTextIndex() function in popup.html you should put it into a popup.js file and include it in popup.html:

<script type="text/javascript" src="popup.js"></script>

And <button onclick="getPageandSelectedTextIndex()"> has to be changed as well, onclick attribute is also an inline script. You should assign an ID attribute instead: <button id="button">. Then in popup.js you can attach an event handler to that button:

window.addEventListener("load", function()
{
  document.getElementById("button")
          .addEventListener("click", getPageandSelectedTextIndex, false);
}, false);

Related

Query a database based on result of query from another database
MySQL INT meaning
Clear controls does not dispose them - what is the risk?
What is a reference-to-pointer?
Selenium WebDriverException: unknown error: call function result missing 'value' while calling sendkeys method
Using LibTiff from C# (to access tiled TIFF images)
How do I segment the elements iterated over in a foreach loop
Dynamically cross-join multiple different-size collections together in Linq (C#)
Variable interpolation in Python [duplicate]
Global function definition in header file - how to avoid duplicated symbol linkage error
How to apply indenting serialization only to some properties?
What is the "?" symbol in URL used for in php?