How to set script-src in a Chrome packaged app

google-chrome-app

I'm trying to create a Chrome packaged app from a complicated web app. I'm currently getting the error:

Refused to execute inline event handler because it violates the
following Content Security Policy directive: "default-src 'self'
chrome-extension-resource:". Note that 'script-src' was not explicitly
set, so 'default-src' is used as a fallback.

How do I explicitly set the policy in my manifest.json? I've tried things like:

"content_security_policy": "default-src 'inline'; script-src 'inline'"

but I still get the same error message. Is my syntax wrong, or is the error a red herring?

Best Solution

You can't loosen the default CSP in a packaged app. If you're doing something like <button id="foo" onclick="doSomething()"> then you should instead include a separate JS file in the HTML where you do a document.querySelector("#foo").onclick = doSomething; in your onload handler. This will comply with CSP and make your app more resistant to XSS attacks.

Related Question