在firefox-addon中使用JS文件时的内容安全策略问题

Question

我正在做一个浏览器扩展，在firefox中加载外接程序时会得到这个错误：

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: onclick attribute on SPAN element.index.html

我已经将问题缩小到在html中调用javascript方法时。这似乎不是digitalClock.js的问题，只有onclick="foo()“这样的东西给出了我所拥有的每个onclick的错误。

​

//settings.js
function openNav() {
  document.getElementById("mySettings").style.width = "325px";
}

function closeNav() {
  document.getElementById("mySettings").style.width = "0";
}
//digitalClock.js is working. The error message occurs even if this is removed.

<!DOCTYPE html>
<html lang="en">

<head>
  <link rel="stylesheet" type="text/css" href="styles/clock.css" />
  <link rel="stylesheet" type="text/css" href="styles/settings.css" />
  <meta charset="utf-8">
  <title>Title</title>
</head>

<span style="font-size:30px;cursor:pointer" onclick="openNav()">&#9776;</span>

<div id="myClock" class="clock">clock</div>

<script src=scripts/digitalClock.js></script>
<script src=scripts/settings.js></script>

</html>

​

manifest.json

{

  "manifest_version": 2,
  "name": "CPS error",
  "version": "1.0",

  "description": "CPS error",

  "icons": {
    "48": "icons/border-48.png"
  },


  "permissions": ["storage", "tabs","geolocation"],


  "chrome_settings_overrides": {
    "homepage": "public/index.html"
  },
  "chrome_url_overrides": {
    "newtab": "public/index.html"
    }
}

如果我删除这条线：

<span style="font-size:30px;cursor:pointer" onclick="openNav()">&#9776;</span>

该外接程序将加载没有问题。如果我能在这条错误信息上得到一些帮助，我们将不胜感激。

Answer 1

确切地说，您不应该在html中调用javascript方法，而应该在JS中移动JS逻辑。

例如，您可以删除onclick，在span中添加一个id="nav“，然后使用JS侦听器：

document.getElementById("nav").addEventListener("click", function(){
  openNav();
});

这应该会删除警告。