https://vapi.ai/ logo
Join Discord
Powered by
VAPI integration in chrome extension
# support
e
Hey there, I am trying to integrate VAPI assistant in chrome extension and currently facing following issue Failed to load call object bundle https://c.daily.co/call-machine/versioned/0.58.0/static/call-machine-object-bundle.js: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"script-src 'self'\".\n" I there is a way to avoid this, my guess is that after I make a call it gets more JS and trying to "eval" code from it which is unsafe feature and it's restricted by google policies. I am using @vapi-ai/web library. I there is any workarounds ?
v
message has been deleted
@emarcus It sounds like you're encountering a Content Security Policy (CSP) issue where the Chrome extension's CSP is preventing the evaluation of scripts not explicitly allowed. This is a common security feature to prevent potentially malicious code from executing. Here are a few steps you can take to work around this issue: 1. Modify CSP in the Extension's Manifest: You can try to loosen the CSP in your Chrome extension's manifest file by adding the source of the script to the 
script-src
directive. However, this might not be the best practice due to security concerns. 2. Use a Nonce or Hash: If you have control over the server that serves the JavaScript file, you can include a nonce or a hash in the CSP header which matches the script you want to allow. 3. Content Security Policy Level 3: If you're using CSP level 3, you can use the 
strict-dynamic
keyword, which allows scripts to load additional scripts if they are loaded by a trusted script. 4. Web Workers: Sometimes, loading the script inside a Web Worker can bypass the CSP directive, but this is not a guaranteed solution and may not work for all scripts. 5. Refactor the Code: If possible, refactor the code to avoid using 
eval
or similar functions that can execute JavaScript from strings. This is the most secure approach. 6. Contact the Library Authors: Since you're using the 
@vapi-ai/web
library, it might be worth reaching out to the library authors to see if they have a version of the library that doesn't use 
eval
or if they can provide a workaround. Remember that any modifications to the CSP should be done with caution, as they can potentially open up security vulnerabilities. Always aim to keep your CSP as strict as possible while allowing the functionality you need. If you need further assistance with the integration or have more questions about VAPI, please let me know!
You can continue this conversation by mentioning me in the message.
Got it. Tagging @User for additional help.
s
@emarcus Can you ask this question on Vapi OH? https://discord.gg/DgXAmvym?event=1249076897044889600
e
Sorry, today I am afk already, how often is this event ?
s
3 days a week.
e
So I assume the next is on Monday ?
I see, okay
s
Yeah.
s
Hey team, just wanted to know what was the conclusion of this issue? I am facing the same error and wanted to know if there's any fix. @Sahil @Vapi
v
@Samesh The issue you're facing with the Chrome extension and the 
@vapi-ai/web
library is related to the Content Security Policy (CSP) which is preventing the execution of scripts not explicitly allowed by the policy. Here are some potential solutions that were discussed: 1. Modify the Extension's Manifest: Adjust the CSP in your Chrome extension's manifest file to include the script's source in the 
script-src
directive. 2. Use Nonce or Hash: Include a nonce or a hash in the CSP header that matches the script you want to allow, if you have control over the server serving the JavaScript file. 3. CSP Level 3 Features: Utilize the 
strict-dynamic
keyword if you're using CSP level 3, which allows scripts to load additional scripts if they are loaded by a trusted script. 4. Web Workers: Try loading the script inside a Web Worker, which might bypass the CSP directive. 5. Refactor the Code: If possible, avoid using 
eval
or similar functions by refactoring the code. This is the most secure approach. 6. Reach Out to Library Authors: Contact the authors of the 
@vapi-ai/web
library for a version that doesn't use 
eval
or for a possible workaround. The event you mentioned, Vapi OH, occurs three times a week, and the next one is likely on Monday. It's a good opportunity to discuss such issues directly with the team or community. If you need further assistance or have additional questions, please feel free to ask.
s
I tried all these approaches but none work
s
open new ticket.
s
okay
8 Views
PreviousNext
Powered by