I read about Content Security Policy from:
http://developer.chrome.com/extensions/contentSecurityPolicy.html
It is mentioned there that:
“If you have a need for some external JavaScript or object resources, you can relax the policy to a limited extent by whitelisting secure origins from which scripts should be accepted”
The example shows that you need to add to your manifest.json this line:
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"
but if I want not only to support https://example.com, but every web site?
btw – is it also possible to include “Evaluated JavaScript”: 'unsafe-eval' to that?
what should I write instead?
The page you reference explicitly states, “As man-in-the-middle attacks are both trivial and undetectable over HTTP, those origins will not be accepted.” Thus,
http:origins are right out. You can whitelist all the secure origins Chrome extensions allow with a protocol-only source:script-src 'self' https:. That’s the best you can do inside a Chrome extension: on the web at large, you could whitelistscript-src http: https:.To the other question,
'unsafe-eval'is now permitted in extensions. In previous versions of Chrome it was not allowed, but it seems that Google recently reversed their position on that.