{"id":6685,"date":"2014-04-21T12:52:30","date_gmt":"2014-04-21T12:52:30","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2014\/04\/21\/problem-about-content-security-policy-collection-of-common-programming-errors\/"},"modified":"2014-04-21T12:52:30","modified_gmt":"2014-04-21T12:52:30","slug":"problem-about-content-security-policy-collection-of-common-programming-errors","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2014\/04\/21\/problem-about-content-security-policy-collection-of-common-programming-errors\/","title":{"rendered":"problem about content-security-policy-Collection of common programming errors"},"content":{"rendered":"<ul>\n<li><img decoding=\"async\" src=\"http:\/\/www.gravatar.com\/avatar\/556043dbd5327fe67068f42fba8a6802?s=32&amp;d=identicon&amp;r=PG\" \/><br \/>\nsgrove<br \/>\ngoogle-chrome-extension firebase content-security-policy<br \/>\nI&#8217;m trying to use Firebase in a Chrome extension background page, but it looks like it&#8217;s executing inline-scripts, which isn&#8217;t allowed because of security concerns.I&#8217;ve currently set the CSP to:{&#8220;content_security_policy&#8221;: &#8220;script-src &#8216;self&#8217; https:\/\/cdn.firebase.com https:\/\/&lt;my-subdomain&gt;.firebaseio.com; object-src &#8216;self'&#8221;}I&#8217;m able to load the initial Firebase script, but upon calling new Firebase(&#8216;my-firebase-url&#8217;), I get the following error:Refused to execute inline script because it viol<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/www.gravatar.com\/avatar\/13b41b2620da0b1e630715e0c91a0b03?s=32&amp;d=identicon&amp;r=PG\" \/><br \/>\nJosh Lee<br \/>\ngoogle-chrome-app mathjax content-security-policy<br \/>\nI am trying to use MathJax in Chrome Packaged app. It is not loading at all giving the following error :Uncaught EvalError: Refused to evaluate a string as JavaScript because &#8216;unsafe-eval&#8217; is not an allowed source of script in the following Content Security Policy directive: &#8220;default-src &#8216;self&#8217; chrome-extension-resource:&#8221;.How can I make it work?EDITIT is showing this line to be the problem in the libraryvar CONSTRUCTOR = function () {return new Function (&#8220;return arguments.callee.Init.call(this,a<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/www.gravatar.com\/avatar\/3c27881a0d8695811b0fa23bd794e696?s=32&amp;d=identicon&amp;r=PG\" \/><br \/>\nMike West<br \/>\njavascript onload content-security-policy<br \/>\nDo not understand the the effect of the policy I specify at my site http:\/\/pcrypt.org\/dev\/groups.php.header(&#8220;X-Content-Security-Policy: allow &#8216;self&#8217;; img-src *; script-src &#8216;self&#8217;; frame-src &#8216;self&#8217;; style-src &#8216;self&#8217;;&#8221;);If I disallow inline scripts how do I then call a function. In the page I have tried to call a function located in a js file on the server from onload (body onload=&#8217;initialize()&#8217;) but it generate this error (sorry in Danish):Advarsel: CSP: Directive &#8220;inline script base restriction&#8221;<\/li>\n<\/ul>\n<p>Web site is in building<\/p>\n","protected":false},"excerpt":{"rendered":"<p>sgrove google-chrome-extension firebase content-security-policy I&#8217;m trying to use Firebase in a Chrome extension background page, but it looks like it&#8217;s executing inline-scripts, which isn&#8217;t allowed because of security concerns.I&#8217;ve currently set the CSP to:{&#8220;content_security_policy&#8221;: &#8220;script-src &#8216;self&#8217; https:\/\/cdn.firebase.com https:\/\/&lt;my-subdomain&gt;.firebaseio.com; object-src &#8216;self&#8217;&#8221;}I&#8217;m able to load the initial Firebase script, but upon calling new Firebase(&#8216;my-firebase-url&#8217;), I get the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6685","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=6685"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6685\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=6685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=6685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=6685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}