Methods Endorsed by Chrome Apps
Use templating libraries
Use a library that offers precompiled templates and you’re all set. You can still use a library that doesn’t offer precompilation, but it will require some work on your part and there are restrictions.
You will need to use sandboxing to isolate any content that you want to do ‘eval’ things to. Sandboxing lifts CSP on the content that you specify.
Sandbox local content
Sandboxing allows specified pages to be served in a sandboxed, unique origin. These pages are then exempt from their Content Security Policy. Sandboxed pages can use iframes, inline scripting, and eval() (and the last two are the ones being prevented). That'll fix 'unsafe-inline' and 'unsafe-eval'.
- Use inline scripts in sandbox
- Include sandbox in manifest
Access remote resources
You can fetch remote resources via XMLHttpRequest and serve them via blob:, data:, or filesystem: URLs. This should fix the jQuery fetching issue.
Manifest requirement
To be able to do cross-origin XMLHttpRequests
, you'll need to add a permission for the remote URL's host.
Cross-origin XMLHttpRequest
Fetch the remote URL into the app and serve its contents as a blob:
URL.
I don't think you can do any of these. To fix the unsafe-eval
and unsafe-inline
response headers, only the script owner can fix the code or if it's in public domain, you can fix it. All this is probably a one-time fix.
Hacks
UnsafeWindow
http://wiki.greasespot.net/UnsafeWindow
Content Script Injection
http://wiki.greasespot.net/Content_Script_Injection
The hacks however have downsides because they've known to cause security holes atleast the first one, definitely.
Best Answer