The extension's Content security policy only applies to extension pages, not content scripts.
When you insert a <script>
tag, it becomes subject of the page's CSP, so changing the CSP string in the manifest file won't have any effect.
To solve the problem, I suggest to load scriptTagContext.js
before your other content script. First read README.md to understand the technique, then get it from https://github.com/Rob--W/chrome-api/tree/master/scriptTagContext.
Example: G+1 on every Github page
I'm taking Github as an example, because it enforces a strict Content security policy.
manifest.json
{
"name": "Google +1 on Github",
"version": "1",
"manifest_version": 2,
"content_scripts": [{
"js": ["scriptTagContext.js", "contentscript.js"],
"matches": ["*://*.github.com/*"]
}],
"permissions": [
"*://apis.google.com/*"
]
}
scriptTagContext.js
Get it from https://raw.github.com/Rob--W/chrome-api/master/scriptTagContext/scriptTagContext.js
contentscript.js
var script = document.createElement('script');
script.src = 'https://apis.google.com/js/plusone.js';
document.head.appendChild(script);
// Next snippet is equivalent to jQuery's $('body').prepend('<g:plusone/>')
document.body.insertAdjacentHTML('afterbegin', '<g:plusone></g:plusone>');