'Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'"

Im creating a chrome extension for Rss reader in that im getting the above error. please help

manifest.json

{
    "name": "Tutorialzine Extension",
        "manifest_version": 2,
        "version": "1.1",
        "description": "Making your first Google Chrome extension.",
        "icons": {
        "128": "icon_128.png"
    },
        "web_accessible_resources": ["script.js", "https://query.yahooapis.com"],
        "browser_action": {
        "default_icon": "icon.png",
            "default_popup": "tutorialzine.html"
    },
        "permissions": ["tabs", "<all_urls", "http://localhost/",
        "http://*/*", "https://*/*", "https://query.yahooapis.com"],
        "content_security_policy": "script-src 'self'; 'https://query.yahooapis.com';unsafe-inline; object-src 'self'"
}

script.js

$(document).ready(function () {

    var query = "SELECT * FROM feed WHERE url='http://feeds.feedburner.com/Tutorialzine' LIMIT 2";

    // Storing the seconds since the epoch in now:
    var now = (new Date()).getTime() / 1000;

    // If there is no cache set in localStorage, or the cache is older than 1 hour:
    if (!localStorage.cache || now - parseInt(localStorage.time) > 1 * 60 * 60) {
        $.get("yahoo.js", function (msg) {

            // msg.query.results.item is an array:
            var items = msg.query.results.item;
            var htmlString = "";

            for (var i = 0; i < items.length; i++) {
                var tut = items[i];

                // Extracting the post ID from the permalink:
                var id = tut.guid.content.match(/(\d+)$/)[0];

                // Looping and generating the markup of the tutorials:

                htmlString += '<div class="tutorial">\
                            <img src="http://tutorialzine.com/img/posts/' + id + '.jpg" />\
                            <h2>' + tut.title + '</h2>\
                            <p>' + tut.description + '</p>\
                            <a href="' + tut.link + '" target="_blank">Read more</a>\
                            </div>';
            }

            // Setting the cache
            localStorage.cache = htmlString;
            localStorage.time = now;

            // Updating the content div:
            $('#content').html(htmlString);
        }, 'json');
    } else {
        // The cache is fresh, use it:
        $('#content').html(localStorage.cache);
    }
}

Error in jquery.min.js:

Jquery.min.js contains inline script what to do 

parentNode:d.removeChild(d.appendChild(s.createElement("div"))).parentNode===null,deleteExpando:true,checkClone:false,scriptEval:false,noCloneEvent:true,boxModel:null};b.type="text/javascript";try{b.appendChild(s.createTextNode("window."+f+"=1;"))}catch(i){}a.insertBefore(b,a.firstChild);if(A[f]){c.support.scriptEval=true;delete A[f]}try{delete b.test}catch(o){c.support.deleteExpando=false}a.removeChild(b);if(d.attachEvent&&d.fireEvent){d.attachEvent("onclick",function k(){c.support.noCloneEvent=
google-chromegoogle-chrome-extensiongoogle-chrome-app


Solution 1:[1]

I also faced such type of problem when working with LinkedIn oAuth API.

I was using linkedIn API with following settings for cordova

config.xml

 <access origin="*" launch-external="yes"/>
  <allow-navigation href="*" />

Meta Tag was

 <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

Script

<script type="text/javascript" src="http://platform.linkedin.com/in.js"></script>

When i run the application on emulator its giving

enter image description here

Fixed Problem to add uri into meta tag http://platform.linkedin.com like

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://platform.linkedin.com ">

Solution 2:[2]

It can be reason if you have this code in your htaccess. CommentOut this can fix your issue

<IfModule mod_headers.c>
  Header set Content-Security-Policy "script-src 'self' https://www.example.com/"
</IfModule>

Solution 3:[3]

I had this error a couple of times in a few days, for no apparent reason (I forget the first "cause", but the second occurrance of this message was after a machine restart).

No amount of returning to previous working branches helped, nor adding the meta tags detailed in this question and here (basically the same).

So I deleted node_modules, and it's gone away now, and all is working well. Maybe someone else's code is as random as mine...

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 O'Neil
Solution 2 Asif Asghar
Solution 3 Ctrl-Zed

Related Questions

How to mock browser requests based on har files?

How to test chrome extensions?

Hide scroll bar, but while still being able to scroll

Downloading/Opening .csv file using Google chrome, it changes extension of .csv file to .xls

Chrome doesn't support `font-family: "Arial Bold"`?

Google Chrome Extension Manipulate URL

Recommendations for a "Getting started with Greasemonkey" tutorial [closed]

How to manually send HTTP POST requests from Firefox or Chrome browser

Google Chrome developer tools: missing storage tab

Adding items in DOM with jQuery without browser scrollbar update

Manually adding a Userscript to Google Chrome

Chrome local overrides with port number?

change to this file were not saved to file system error in google chrome version 30.0.1599.101 m

Google Chrome autofill background color change?

Chrome Developer Tools: missing source tab