Adding a script to a frame (Atom's CSP)


I’m attempting to append a script to an iframe within my view. Imagine a split pane view with an editor on one side and live html on the other. Although this is not exactly what I’m trying to do, it is an easier use case to understand.

I’m attempting to simply use JavaScript\jQuery to append a script to the frame like this:

$(frame).contents().find("body").append("<script>alert('this will fail');</script>")

and I’m running into this error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

Does anyone know or can think of a way to avoid this error without saving files to a temporary directory then loading them via src?

More broadly this issue is similar to this CSP question however it was never properly answered, and I’m not sure the workaround is a long term solution.

I understand why the error is occurring and Chrome has some good info on their CSP for extensions.

Is Atom mostly the same?


There is also this other topic on specifically linking to external JS, which is essentially the same thing from a security perspective since you’re both trying to inject JS into the “page” ex post facto:

These two topics are the extent of the conversation, unless someone has a special trick that they’ve been keeping to themselves.

Closing this topic in favor of the original one.

closed #3