Why is script-src: 'unsafe-inline' forbidden

(Olivier De Broqueville) #1

I’m displaying search engine results in the sidebar via an iframe and the results occasionally include inline script, so I added the above in the manifest.json file.

I’m now getting the following error message:

Reading manifest: Error processing content_security_policy: SyntaxError: ‘script-src’ directive contains a forbidden ‘unsafe-inline’ keyword

Btw, I had also set the iframe’s sandbox attribute to ‘allow-scripts’.

Is there a way to fix this?

1 Like

(Martin Giger) #2

The way to fix this is not to have inline scripts. It sounds like these search engine results even have scripts that come from a remote location, which isn’t allowed either.


(Olivier De Broqueville) #3

Sad thing is that functionality is lost, meaning that in certain cases images and video thumbnails don’t get displayed next to each result. Instead, you just get a white rectangle!


(Martin Giger) #4

Why do those need to be loaded by inline scripts? That doesn’t sound like it should require inline JS.


(Olivier De Broqueville) #5

That’s a good question for those who design the search engines and how they present search results. All I can do is try to adapt so that users still get a good experience.

When removing ‘unsafe-inline’ from manifest.json using ecosia.org in the sidebar:

When allowing ‘unsafe-inline’ in manifest.json, using ecosia.org in the sidebar:

Yet, some scripts are still being blocked: