Plugin does not work on pages with content security policy

[hubendubler]

Hello, I am having problems using the Chrome plugin on a website using Tolgee and a restrictive content security policy.

The plugin injects a script referencing https://cdn.jsdelivr.net/npm/@tolgee/web@5.14.0/dist/tolgee-in-context-tools.umd.min.js
This is blocked by the browser and can only be circumvented by adding cdn.jsdelivr.net/npm/@tolgee/ to the script-src part of the CSP, but ideally I would like to avoid this on production.

Is there a way for the Chrome plugin to handle the CSP on the pages it is used on?

[stepan662]

Hey, it seems like there is no way around it. You'll have to list it in the script-src.

[stepan662]

I've tried to load the script in the plugin (which works) and then inject it manually into the new script element, but this is also blocked by CSP (and it's also really ugly). If you'd find a way how to go around this, PRs are welcomed.