How can I bypass content-security-policy header restriction and run my preload script in webview?


I have already set my <webview> with disablewebsecurity. However, when I try to access certain website which contain content-security-policy header with 'unsafe-inline'. The js broke!!!

Here is the error message:

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src".

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src". Either the 'unsafe-inline' keyword, a hash ('sha256-Tp5j41EJEWLvcVzyZrSssQch5dYHWSgxRqCvEoDS0xM='), or a nonce ('nonce-...') is required to enable inline execution.

UPDATE: I have tried webFrame.registerURLSchemeAsBypassingCSP('file') but no luck. Seems that the error is prompted before my preload script of the <webview> executed. That means webFrame.registerURLSchemeAsBypassingCSP('file') has not even ran!

How come :frowning: Thanks in advance