CSP - modify content_security_policy for build

adambullmer / vue-cli-plugin-browser-extension

Browser extension development plugin for vue-cli 3.0

GNU Lesser General Public License v3.0

426 stars 76 forks source link

CSP - modify content_security_policy for build #96

Closed realrecordzLab closed 3 years ago

realrecordzLab commented 3 years ago

Is possible to set the CSP for the extension when is build with a custom configuration?

amitmtrn commented 3 years ago

it seems like you can but replaces the unsafe-eval https://github.com/adambullmer/vue-cli-plugin-browser-extension/blob/master/lib/manifest.js#L37

skys215 commented 3 years ago

I've faced same problem:Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

I've tried to add "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'", in manifest.json and rebuild it, but problem remains.

adambullmer commented 3 years ago

Unsafe eval isn't allowed in extensions in the chrome/mozilla stores, so this plugin actively replaces them in production builds. If you are distributing yourself you can continue to use dev builds, or manually update the manifest in the resulting archive.