Welcome What's new in Chrome extensions API reference Samples
Welcome What's new in Chrome extensions API reference Samples

Manifest - Content Security Policy

Published on Updated on

An optional manifest key defining restrictions on the scripts, styles, and other resources an extension can use. Within this manifest key, separate optional policies can be defined for both extension pages and sandboxed extension pages.

The "extension pages" policy applies to page and worker contexts in the extension. This would include the extension popup, background worker, and tabs with HTML pages or iframes that were opened by the extension. The sandbox policy applies to all pages specified as a sandbox page in the manifest.

Default Policy

If the content security policy is not defined by the user in the manifest, the default properties will be used for both extension pages and sandboxed extension pages.

These defaults are equivalent to specifying the following policies in your manifest:

{
// ...
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self';",
"sandbox": "sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';"
}
// ...
}

In this case, the extension will only load local scripts and objects from its own packaged resources. WebAssembly will be disabled, and the extension will not run in-line Javascript or be able to evaluate strings as executable code. If a sandbox page is added, it will have more relaxed permissions for evaluating scripts from outside the extension.

Minimum and customized Content Security Policies

Developers may add or remove rules for their extension, or use the minimum required content security policy, to fit the needs of their project.

Extension Pages Policy

Chrome enforces a minimum content security policy for extension pages. It is equivalent to specifying the following policy in your manifest:

{
// ...
"content_security_policy": {
"extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self';"
}
// ...
}

The extension_pages policy cannot be relaxed beyond this minimum value. In other words, you cannot add other script sources to directives, such as adding 'unsafe-eval' to script-src. If you add a disallowed source to your extension's policy, Chrome will throw an error like this at install time:

'content_security_policy.extension_pages': Insecure CSP value "'unsafe-eval'" in directive 'script-src'.

Sandbox Pages Policy

The default policy for sandboxed pages is much more lenient than with extension pages, as the sandbox page does not have access to extension APIs, or direct access to non-sandboxed pages. The sandbox content security policy can be customized as desired.

Updated on Improve article

We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.