Violation of Content Security Policy directive: Inline script does not comply with the "script-src 'self'" specification

Question

I use react-create-app to build my Chrome extension. When I use npm run build in react-create-app, I get the following error:

Execution of the inline script is denied because it violates the following Content Security Policy directive: "script-src 'self'". To enable inline execution, use the "unsafe-inline" keyword, a hash ('sha256-5='), or a one-time nonce ('nonce-...').

Error inindex.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <link rel="shortcut icon" href="%PUBLIC_URL%/favicon.ico" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <meta name="theme-color" content="#000000" />
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css" />
    <link
      rel="stylesheet"
      href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
      integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va PmSTsz/K68vbdEjh4u"
      crossorigin="anonymous"
    />
    <!--
      Manifest.json provides metadata that is used when your web application is installed on a user's mobile device or desktop. See https://developers.google.com/web/fundamentals/web-app-manifest/
    -->
    <link rel="manifest" href="%PUBLIC_URL%/manifest.json" />
    <!--
      Note the use of %PUBLIC_URL% in the tag above.
      During the build process it will be replaced with the URL of the `public` folder.
      Only files in the `public` folder can be referenced from HTML.

      Unlike "/favicon.ico" or "favicon.ico", "%PUBLIC_URL%/favicon.ico" will work correctly on client routes and non-root public URLs.
      Run `npm run build` to learn how to configure non-root public URLs.
    -->
    <title>React App</title>
  </head>
  <body>
    <noscript>You need to enable JavaScript to run this application. </noscript>
    <div id="root"></div>
    <!--
      This HTML file is a template.
      If you open it directly in your browser, you will see a blank page.

      You can add web fonts, meta tags or analytics in this file.
      The build step will put the bundled scripts into `` tags.

      To start development, run `npm start` or `yarn start`.
      To create a production bundle, use `npm run build` or `yarn build`.
    -->
  </body>
</html>

manifest.json

{
  "manifest_version": 2,
  "name": "IC Project chrome extension",
  "description": "This extension is a starting point to create a real Chrome extension",
  "version": "0.0.1",
  "browser_action": {
    "default_popup": "index.html",
    "default_title": "Open the popup"
  },
  "icons": {
    "16": "assets/icon-128.png",
    "48": "assets/icon-128.png",
    "128": "assets/icon-128.png"
  },
  "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}

Answer 1

After a few frustrating hours, I found a solution that works. Running scripts differs between Mac and PC. A lot of the answers I found had the difference with "set" and without "set". Some with "&&", some without... but none of them work for me.

In short: use the "cross-env" npm package like this:

cross-env INLINE_RUNTIME_CHUNK=false react-scripts build

This works on PC, probably on Mac too. Of course, you need to npm install --save-dev cross-env before doing this.