Javascript Chrome 扩展不加载 https://apis.google.com/js/platform.js 脚本

Question

这是我在尝试设置 google 登录按钮时遇到的错误：

Refused to load the script 'https://apis.google.com/js/platform.js' because it violates the following Content Security Policy directive: "script-src 'self' https://ssl.google-analytics.com".

这是我的 html 标头：

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="google-signin-client_id" content="898781594724-s0fh16gcroad2e37ds2q09r5qmoqpu73.apps.googleusercontent.com">
<!-- css file -->
<link rel="stylesheet" type="text/css" href="css/styleVidyo.css" />
<!-- javascript files -->
<script type="text/javascript" src="js/vidyoChromeExt.js"></script>
<!-- Developer code -->
<script type="text/javascript" src="js/jquery-1.9.1.min.js"></script>
<!-- Google analytics code -->
<script type="text/javascript" src="js/popup.js"></script>
<script src="https://apis.google.com/js/platform.js" async defer></script>
<!-- Opensource code -->
</head>

这是清单：

{
"update_url": "https://clients2.google.com/service/update2/crx",

"manifest_version": 3,
"omnibox": { "keyword" : "Send a Vidyo Invite" },
"name": "Send a Vidyo Invite",
"description": "Quickly send a Vidyo invite using Google Mail or Google Calendar",
"version": "2.0.2",
"icons": {
 "16": "img/icon_16.png" ,
 "48": "img/icon_48.png" ,
 "128": "img/icon_128.png"
},
 "content_scripts": [{
    "matches": ["*://mail.google.com/*", "*://accounts.google.com/*", "*://www.google.com/calendar/*", "*://calendar.google.com/*"],
    "js": ["js/jquery-2.0.3.min.js", "js/vidyoCalendar.js", "js/dateFormat.js"],
    "css": ["css/ui.css"],
    "run_at": "document_end"
  }],
"homepage_url": "http://www.vidyo.com",
"content_security_policy": "script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com; object-src 'self'",
"permissions": [  
    "cookies", 
    "tabs",  
    "*://*.google.com/*", 
    "http://*/*", 
    "https://*/*",
    "notifications",
    "contentSettings",
    "identity"
],  
"web_accessible_resources": [
    "js/jquery-1.9.1.min.js",
    "js/vidyoChromeExt.js",     
    "vidyoChromeExt.html",
    "js/jquery-2.0.3.min.map",
    "img/icon_48.png",
    "img/icon_16.png"
],
"background": {
  "scripts": ["js/eventPage.js"]
},
 "browser_action": {
"default_title": "Send a Vidyo Invite",
"default_icon": "img/icon_128.png",
"default_popup": "vidyoChromeExt.html"
}   
}

PS：我编辑了 content_security_policy 行：

"content_security_policy": "script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com https://apis.google.com/js/platform.js; object-src 'self'",

现在我得到了这个错误：

platform.js:7 Refused to load the script 'https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.en.5Qa4K6bqWYU.O/m…sv=1/d=1/ed=1/am=AQ/rs=AGLTcCNyN716KFiep1ch6_hoUSsIDwsHUA/cb=gapi.loaded_0' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com https://apis.google.com/js/platform.js".

PPS：我确实设法让它加载脚本，并通过 content_security_policy。但现在我得到了这个错误：

cb=gapi.loaded_0:155 Uncaught gapi.auth2.ExternallyVisibleError: Invalid cookiePolicy

有什么想法吗？这是因为它是扩展吗？ 我发现这可能会有所帮助：https://github.com/google/google-api-javascript-client/issues/64 但到目前为止。没有任何作用

Answer 1

我引用：

.. 因为它违反了以下内容安全策略指令："script-src 'self' https://ssl.google-analytics.com"

从你的清单中：

"content_security_policy":
  "script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com; object-src 'self'",

这与 https://apis.google.com 原点不匹配，因此完全匹配 what CSP is supposed to do：拒绝执行。

阅读 Chrome 扩展程序中的 Content Security Policy，并修改 CSP 以允许该origin，而不是单个脚本（因为 Google API 将更多脚本作为模块加载，而您不知道 URL提前）。