Content Security Policy directive “script-src ‘self’ ‘unsafe-eval'”

I’m attempting to write a chrome extension to return weather observations from the nearest station using and the API services. I seem to have gotten most of the CSP stuff sorted out, although I still get an error for a get request that is inside of my javascript being called by the html. I am wondering if there’s a way to navigate these CSP protocols for a call within a script. It seems to me that by even running the initial js it would have cleared for subsequent calls, but this is my first time dealing with this and I’m struggling. Thanks for any help, a working fiddle can be seen at:

and my manifest.json is:

  "manifest_version": 2,
  "name": "Sensible Weather",
  "description": "This extension will return simple weather obs for a site",
  "version": "1.1",

  "browser_action": {
    "default_icon": "day16.png",
    "default_popup": "popup.html"

  "icons": { "16": "day16.png",
            "48": "day48.png",
            "128": "day128.png"

  "manifest_version": 2,
  "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",

  "permissions": [

And the error I receive is:
jquery-3.3.1.min.js:2 Refused to load the script ‘…; because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-eval'”

Thanks again!

Should it be so easy to inject javascript with a Chrome extension?

As part of a security test, I have built a very basic Chrome extension with the purpose of being able to read secure cookies, as well as localStorage data. I managed to get this to work, which itself is a pretty bad thing, however, when building I used the following line:

chrome.tabs.executeScript(tabs[0].id, {code: '...'});

Now, from my understanding of this, this line of code will actually allow you to execute any javascript on the page, provided the user has agreed to the permissions of course.

With this, even with a CSP header on, anyone could quite easily create an extension to do what I have done above.

Should it be that easy to inject Javascript onto a webpage using an extension? Surely not!?

Bear in mind, I have the extension running in developer mode on my machine, and have not published it to the Chrome store, but I haven’t seen anything in regards to extensions being approved, just that they are approved and live immediately.

In case that it is possible by design for this to happen, are there any ways to prevent things like this happening? Are there any CSP headers etc. that can help prevent this?

Many thanks all