I'm reading Chrome extension document "Content Security Policy (CSP)". It says:
Inline JavaScript, as well as dangerous string-to-JavaScript methods like eval, will not be executed. This restriction bans both inline blocks and inline event handlers (e.g.
<button onclick="...">
)....
There is no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes unsafe-inline will have no effect. This is intentional.
Why are inline <script>
blocks unsafe? Can anyone explain it? It will be better if you can give examples.
Thank you.
As the page says:
Basically any script you load needs to be in a separate file accessible locally to the extension. This prevents you from loading 3rd party scripts that get injected into your page or including them like:
An example of this is if you have a form a user can fill out. The user can enter a script tag with some JS in it. Let's say it's like a discussion forum. I go in and make a topic but it has some hidden JS in it. Let's also assume you don't clean that out before posting it. Now my post has JS that will execute every time somebody views it. This prevents that script from being executed.