4

Using jQuery 1.10.2 and jQuery Mobile 1.3.2 I am trying to create a chrome packaged app with the following simple html...

<!DOCTYPE html>
<html>
<body>
    <div data-role="page">
        <script async src="events.js" type="text/javascript"></script>
    </div>
</body>
</html>

There are two problems. The first is that jQuery will intercept the script tag loading events.js and makes the call xhr.open( s.type, s.url, s.async ); however s.async is false. Chrome packaged apps do not allow synchronous loading. So before this line in jQuery i set s.async = true;

The next problem is that jquery will call its globalEval method on each script on first document insertion and this calls eval which produces this CSP error with the chrome packaged app:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:".

One solution might be sandboxing (add the html page in the manifest) however this causes another problem: XMLHttpRequest cannot load chrome-extension://ocnbknafegfhcgbiciegbfndjckamkoj/events.html. Origin null is not allowed by Access-Control-Allow-Origin. The server has "Access-Control-Allow-Origin", "*" so i wouldn't expect this error.

So, is the first sync error a jquery problem? Is the second problem also jquery/chrome packaged app mismatch? Is there are workaround for CSP? Is there a way to sandbox but allow navigation between pages?

4

1 回答 1

0

正如您所提到的,由于内容安全策略 (CSP),您不能在 Chrome 打包应用程序中使用 globalEval。您也不能使用行内脚本标记,因为 CSP 也将其视为安全风险。

您在沙盒处理非 CSP 投诉 HTML 和 JS 方面走在正确的轨道上,但为了发出 XHR 请求,您需要使用窗口之间的消息传递服务来消除 Origin 错误。

看看下面的 url,它有关于如何处理跨域请求的文档:http: //developer.chrome.com/apps/app_external.html#cross-origin

于 2013-12-20T20:35:02.463 回答