Chrome App : Refused to execute inline script because it violates the following Content Security Policy directive

Question

I did some research on the same thread and tried the answers that I got. But still, the same error throws every time.

In my case, it's a chrome app and on one page I'm using an iframe and I'm pointing src into some XHTML content. That actually contain some inline style and scripts, which I cant remove or change.

Below is my manifest file.

{
    "manifest_version": 2,
    "name": "*****",
    "short_name": "****",
    "version": "*****",
    "permissions": [""],
    "content_security_policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; object-src 'self' 'unsafe-inline' 'unsafe-eval'",
    "app": {
        "background": {
            "scripts": ["chrome.js"]
        }
    },
    "icons": {
        "16": "1.png",
        "48": "2.png",
        "128": "3.png"
        },
    "sandbox": {
        "pages": [
            "****.html"
        ]
    }
}

Answer 1

Please refer to the the Content Security Policy guidelines:

Inline Script

Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.

As of Chrome 46, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). See Hash usage for elements for an example.