network request showing api call data Security

I have a WEB Api call (GetCustomers) which get a list of customers and that works fine.
Problem is in the Network Request after I have logged in I can see GetCustomers and on clicking this I can see the complete list of customers.

Is there a way to hide these calls from being displayed?
See attached – don’t want the GetRulesValidation call and resulting data to be displayed in the Network Request Tab within Chrome.

I am using Angular4 on the Front End and a C# WEB API.


NetworkRequest in Chrome

inline executing / src – Chrome Extension

I’m writing an extension that needs to save the users password/username, and I’m getting cockblocked by “content security policy”…
I’d like to save the usernames and password to, with JavaScript, but I keep getting erros because of “content security policy”.

I’ve tried playing around with “content_security_policy” in the manifest.json, but honestly can’t get it to work… Any suggestions would be appreciated.

Chrome Extension – Content Security Policy directive (LinkedIn)

I am using a chrome extension to parse a username and crosscheck it on my db. However LinkedIns CSP prevents me making GET-calls from the chrome extension.

This is my console error:

Refused to connect to 'https://my.api.url/' because it violates the following Content Security Policy directive: "connect-src 'self' wss:".

Is there any way to override this in the meta tags or give chrome extensions extra permissions?

Web Extension – Content Security Policy Error when Iframe Source Executes Script

I have a chrome/firefox web extension that uses a content script to inject HTML into a webpage when a button is clicked. The HTML that is injected consists of an iFrame nested within several divs.

Here’s the relevant portion of the content script:

var iFrame = document.createElement("iFrame"); = "contentFrame"; = "width: 100%; height: 100%; border: none;";
iFrame.src = browser.extension.getURL("inject-content/inject.html");

var boxDiv = document.createElement("div"); = "left: calc(100% - 390px); position: fixed; top: 0px; width: 390px; z-index: 1;"

var zeroDiv = document.createElement("div"); = "position: fixed; width: 0px; height: 0px; top: 0px; left: 0px; z-index: 2147483647;";

var outerDiv = document.createElement("div"); = outerDivID;


As indicated by the code, the source of the iFrame is a file called “inject.html”. Two important features of inject.html are:

1) A script tag (inside the header) that refers to the file for a javascript library in the same directory.

2) A piece of inline javascript that uses “perfect-scrollbar.js”. Also, for reference, here is the library itself:

When I directly open the file from my computer (i.e – right-click, open with Chrome), it works fine. However, when I use my extension in Firefox, I get the following error:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”).

console.log(“hello world”);


I read through the documentation and it seems like in-line javascript is not allowed by the default content security policy.

Relevant documentation:

The default content security policy for extensions is:

"script-src 'self'; object-src 'self';"

This will be applied to any extension that has not explicitly set its own content security policy using the content_security_policy manifest.json key. It has the following consequences:

You may only load and resources that are local to the extension.

The extension is not allowed to evaluate strings as JavaScript.

Inline JavaScript is not executed.

I would solve the problem of inline javascript by using import statements, but according to Mozilla, those are not supported in Firefox right now:

According to the documentation, it is possible to allow some inline Javascript by creating a sha-256 hash of your script.

Allow the extension to execute inline scripts, by supplying the hash of the script in the “script-src” directive.

Allow the inline script: :

"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"

and this

Alternatively, you can create hashes from your inline scripts. CSP supports sha256, sha384 and sha512.

Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='

When generating the hash, don’t include the

Content Security Policy: Loading external javascript in Chrome extension

I want to host my javascript file instead of packing it with the extension. I have read about whitelisting cross domain with Content Security Policy. This is what I have, but it throws error

"Could not load javascript '' for content script."


  "name": "My Chrome App",
  "version": "1.0",
  "manifest_version": 2,

  "content_scripts": [{
            "matches": [""],
            "js": [""],
            "run_at": "document_end"

  "background": {

  "description": "My app description goes here", //on hover
  "icons": {
              "128": "icon.png"

  "browser_action": {
              "default_title": "My Chrome App",
              "default_popup": "popup.html"

  "permissions": [
              "http://*/*", "https://*/*","tabs"

  "content_security_policy": "script-src 'self'; object-src 'self'"


Is it impossible what I am trying to do? Or is there a workaround? I cannot find an updated answer to this question since CSP has been updated a couple years ago.

How to white-list inline script in the content security policy (CSP) of a Chrome extension?

I’m using the library list.js in a Chrome extension, and it uses inline-scripting to insert the pagination in the web pages, which included as element like this:

So, in order to make this work in the extension I guess I need to white-list it to the content security policy (CSP).

To do so, I tried to relax the CSP for the inline script, as described in the Chrome docs here, but I can’t do it and still getting the console error:

Refused to execute JavaScript URL because it violates the following
Content Security Policy directive: “script-src ‘self’
‘sha256-{HASH}'”. Either the ‘unsafe-inline’ keyword, a hash
(‘sha256-…’), or a nonce (‘nonce-…’) is required to enable inline

I followed the instructions here to generate a sha256 hash and tried:

$echo -n "function Z(){Z=""}Z()" | openssl dgst -sha256 -binary | openssl enc -base64

$echo -n "function Z(){Z=""}Z()" | openssl dgst -sha256 -binary | openssl enc -base64

After I get the hash, I include it in the manifest.json as follows:

"content_security_policy": "script-src 'self' 'sha256-{HASH}'; object-src 'self'",

What am I doing wrong?

Pusher in Chrome Extension stopped working – Content Security Policy

I have an extension which I has socket listening inside working for months, however recently (for the last 2 weeks) it stopped working. The csp I used to have was:

"content_security_policy": "script-src 'self' 'unsafe-eval' https://*; object-src 'self';" (which was working)

However, now, it’s throwing error:

WebSocket connection to ‘wss://ws-{pusherId}’ failed: Error in connection establishment: net::ERR_NAME_NOT_RESOLVED

OPTIONS https://sockjs-{pusherId} net::ERR_NAME_NOT_RESOLVED

After some investigations, I came across

"content_security_policy": "script-src 'self' 'unsafe-eval' https://*; object-src 'self'; connect-src wss://* https://*", but it is still returning the same errors.

What is the proper way of making it work in chrome extension? Is there a way of bypassing it with CSP policy that I am missing?

Chrome Extension: Refused to execute inline script, but no inline scripts present?

I’m trying to build a very basic chrome extension with reactjs. However, I’m getting the following error:

Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-eval'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-irwQGzGiWtpl6jTh4akRDdUUXCrtjkPABk5rinXZ5yw=’), or a nonce (‘nonce-…’) is required to enable inline execution.

I don’t understand where this is coming from, considering that I don’t seem to have any inline scripts.


    New Tab


import React from "react";
import ReactDOM from "react-dom";

class Hello extends React.PureComponent {
  render() {
    return (


); } } const element = ; ReactDOM.render( element, document.getElementById('root') );


  "manifest_version": 2,

  "name": "SuperBasicReact",
  "description": "Just trying to make this work",
  "version": "0.1",

  "chrome_url_overrides": {
    "newtab": "newtab.html"

  "browser_action": {
    "default_title": "SuperBasicReact"

  "permissions": [

  "content_scripts": [{
    "matches": ["http://*/", "https://*/"],
    "js": ["test.jsx", "babel.js"]

  "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'; default-src 'self'"


I’m using chrome version 65.0.3325.162.

Any and all help will be appreciated.

Inject html in popup html on load

I am trying to inject html snippet in chrome extension (popup.html). The most convenient way seems to me is

However, it gives me error:

Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-eval'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-PjYKV/jd1GXDczCnVop+iWUrSsvAjw3SzEanGI7AbaY=’), or a nonce (‘nonce-…’) is required to enable inline execution.

Even though I have in my manifest file:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",

and also I tried changing it to:

"content_security_policy": "script-src 'self' 'sha256-/oh1xgpyFXn7kJvIaB70H0jKEHLn/1TIiY9wJcLcOLI='",

Content-Security-Policy: Refused to execute inline script

I’m trying to implement a Content-Security-Policy.

My HTML File does not include any JavaScript code except for including external js files. But still the console says:

Refused to execute inline script because it violates the following Content Security Policy directive:

So my questions are:

  1. Is including an external JavaScript file like
    seen as an “inline-script” ?

  2. If so, what can I do to allow these scripts via CSP? I already tried to use the nonce within my scripts but it always says:

    Undefined attribute name (nonce)

  3. Do dev tools (e.g. Google Chrome) provide a function to see which inline script procudes the error?