'Chrome Extension: Refused to load the script, because it violates the following Content Security Policy directive: "script-src 'self'"

I'm trying to add a game to Chrome Web Store as an extension, but I'm having some problems with it. The game is made in Unity3D.

The Error:

Refused to load the script 'blob:chrome-extension://laacabdjcfgafjkeclplanjohdbpapgn/88f06275-2339-4218-a7c4-ab954cbaafdc' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

The code where the error is triggered:

function f() {
        return d("frameworkUrl").then(function(e) {
            var t = URL.createObjectURL(new Blob([e], {
                type: "application/javascript"
            }));
            return new Promise(function(e, n) {
                var r = document.createElement("script");
                r.src = t, r.onload = function() {
                    var n = unityFramework;
                    unityFramework = null, r.onload = null, URL.revokeObjectURL(t), e(n)
                }, document.body.appendChild(r), c.deinitializers.push(function() {
                    document.body.removeChild(r)
                })
            })
        })
    }

The exact line:

 }, document.body.appendChild(r), c.deinitializers.push(function() {

Image: Error from Chrome Extension Dashboard in Developer Mode

The extension is using Manifest Version 3. No external scripts/resources are being used. I'm trying for some days to solve this, but I couldn't make it.

Has anybody tried something like this and could help me? Or maybe you have an idea... I'm open to it.

Thanks! :)

unity3dgoogle-chrome-extensionmanifestcontent-security-policymanifest.json


Solution 1:[1]

Your code try to add external script t to the extension page. It is conceptually prohibited in manifest V3 for security reason. Actually, CSP directive script-src 'self' prohibits that.

https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/#content-security-policy

You cannot execute external code also in content script.

https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/#executing-arbitrary-strings

If you want to execute external code, you can execute it in sandbox page.

https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 hashed tomato

Related Questions

How to test chrome extensions?

Recommendations for a "Getting started with Greasemonkey" tutorial [closed]

Chrome-extension: Append functions to right click menu

Listening to DOM events (specific attributes)

Displaying Emoji in Google Chrome

Problem chrome content security policy react extension manifest

chrome.runtime.sendMessage in content script doesn't send message

Is it possible to inject a custom authentication library into a chrome extension background script?

Chrome Extensions: how to set function to execute when day has changed

Send Discord Embed to Webhook with XHR Request

sending message to chrome extension from a web page

How do I switch to the active tab in Selenium?

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'"

How to send / receive message between chrome extension native messaging and c# app

Origin is changed in Chrome Extension Service Worker Fetch Request