CSP Error, run in chrome extension mv2 [background.html]

[mLiGuangYuan]

Describe the bug

I want to do bug tracking and online debugging in my chrome extension, and register it within its background.html, I'm inject page-spy/index.min.js, but I encounter the following error

The current form of HTMLElement Event script injection is insecure and does not comply with the content security policy standard, is there any good solution or way to improve it?

Steps to reproduce

No response

System Info

System:
    OS: macOS 13.4
    CPU: (8) x64 Apple M1
    Memory: 27.56 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 14.20.0 - ~/.volta/tools/image/node/14.20.0/bin/node
    Yarn: 1.22.19 - ~/.volta/tools/image/yarn/1.22.19/bin/yarn
    npm: 6.14.17 - ~/.volta/tools/image/node/14.20.0/bin/npm
    pnpm: 8.13.1 - ~/.volta/bin/pnpm

Logs

No response

Validations

• [X] Read the FAQ.
• [X] Read the Contributing Guidelines.
• [X] Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• [X] The provided reproduction is a minimal reproducible example of the bug.

[mLiGuangYuan]

It looks like that's what caused it. content-security-policy-refused-to-execute-inline-event-handler-error

[wqcstrong]

It seems that the browser extension imposes stricter restrictions in CSP. I tried placing an empty popup.html page and setting the content in the manifest.json,

{
  // ... others
  "content_security_policy": {
    "extension_pages": "script-src 'unsafe-inline'"
  },
}

but when attempting to load, it resulted in an error 'content_security_policy.extension_pages': Insecure CSP value "'unsafe-inline'" in directive 'script-src'.

From the behavior, it may not be the appropriate time to load PageSpy in the extension. Besides that the PageSpy SDK relies on Modernizr, which might trigger additional CSP rules, such as detecting the oninput event.