Type | String |
---|---|
Mandatory | No |
Example |
"content_security_policy": "default-src 'self'" |
Extensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load <script> and <object> resources, and disallows potentially unsafe practices such as the use of eval()
. See Default content security policy to learn more about the implications of this.
You can use the "content_security_policy"
manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of CSP syntax.
For example, you can use this key to:
- Allow the extension to load scripts and objects from outside its package, by supplying their URL in the
script-src
orobject-src
directives. - Allow the extension to execute inline scripts, by supplying the hash of the script in the
"script-src"
directive. - Allow the extension to use
eval()
and similar features, by including'unsafe-eval'
in thescript-src
directive. - Restrict permitted sources for other types of content, such as images and stylesheets, using the appropriate policy directive.
There are restrictions on the policy you can specify here:
- The policy may include just
default-src
, but if not the policy must include at least thescript-src
and theobject-src
directives, and thescript-src
directive must contain the keyword'self'
. - Remote sources must use
https:
schemes. - Remote sources must not use wildcards for any domains in the public suffix list (so "*.co.uk" and "*.blogspot.com" are not allowed, although "*.foo.blogspot.com" is allowed).
- All sources must specify a host.
- The only permitted schemes for sources are:
blob:
,filesystem:
,moz-extension:
,https:
, andwss:
. - The only permitted keywords are:
'none'
,'self'
, and'unsafe-eval'
.