What makes an unsafe script “unsafe”?

Question

I'm new to chrome extensions. I'm writing a little plug-in that zooms in a page when the user presses a button ( very new). However, it won't run unless I allow unsafe scripts and it won't carry over to new pages, ostensibly because of the unsafe scripts. All I'm doing is zooming.

What I really want to know is, if it is not asking for information or directly accessing their computer, what makes a script unsafe?

Answer 1

There are three things making a script unsafe for Google extensions:

Inline JavaScript

It's a common beginer mistake (I have made it). You can't put inline JavaScript statements. For example, you can't handle event this way:

<img src="myImage.jpg" onclick="doSomething()">

The correct way to do this is to do define an Id for your DOM element, the image in my example, and to set the event handler in a separate JavaScript file:

page.html:

<img src="myImage.jpg" id="myImage">
<script src="script.js"></script>

script.js:

//In vanilla Javascript :
document.getElementById("myImage").onClick(doSomething);

//In JQuery
$("#myImage").on("click", doSomething);

Eval and related functions

All functions that can evaluate String as JavaScript in the fly are unsafe. So the eval function is not allowed, such as new Function("return something.value");

Remote scripts

Only local scripts are safe. If you are using for example jQuery, you have to include the library in your extension. Loading external library via CDN links is considered as unsafe.

It's a quick overview, you can read more about this and have the explanations of this restrictions on Google Chrome extension Content Security Policy

Answer 2

Another thing to consider is how you're sourcing your files.

For example, if you source a file using http:// , but access the site using https:// , you will get an unsafe scripts error.