While building a React Chrome extension using the create-react-app utility (v2.x), I came across the following error on loading my unpacked extension:
Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’
blob: filesystem: chrome-extension-resource:”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-
GgRxrVOKNdB4LrRsVPDSbzvfdV4UqglmviH9GoBJ5jk=’), or a nonce (‘nonce-…’) is required to enable inline execution.
Basically, this error arises as Chrome (or almost any modern browser) will not allow inline scripts to get executed. This CSP restriction resulted in the above error as the build script in create-react-app bundles the .js files in <script> tags in the <body> of index.html.