I’m displaying search engine results in the sidebar via an iframe and the results occasionally include inline script, so I added the above in the manifest.json file.
I’m now getting the following error message:
Reading manifest: Error processing content_security_policy: SyntaxError: ‘script-src’ directive contains a forbidden ‘unsafe-inline’ keyword
Btw, I had also set the iframe’s sandbox attribute to ‘allow-scripts’.
Is there a way to fix this?
The way to fix this is not to have inline scripts. It sounds like these search engine results even have scripts that come from a remote location, which isn’t allowed either.
Sad thing is that functionality is lost, meaning that in certain cases images and video thumbnails don’t get displayed next to each result. Instead, you just get a white rectangle!
Why do those need to be loaded by inline scripts? That doesn’t sound like it should require inline JS.
That’s a good question for those who design the search engines and how they present search results. All I can do is try to adapt so that users still get a good experience.
When removing ‘unsafe-inline’ from manifest.json using ecosia.org in the sidebar:
When allowing ‘unsafe-inline’ in manifest.json, using ecosia.org in the sidebar:
Yet, some scripts are still being blocked:
