Welcome What's new in Chrome extensions Getting started API Reference Samples
Welcome What's new in Chrome extensions Getting started API Reference Samples

Manifest - Web Accessible Resources

Published on Updated on

Web-accessible resources are files inside an extension that can be accessed by web pages or other extensions. Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension's bundle can be made web accessible.

By default no resources are web accessible; only pages or scripts loaded from an extension's origin can access that extension's resources. Extension authors can use the web_accessible_resources manifest property to declare which resources are exposed and to what origins.

Prior to Manifest V2 all resources within an extension could be accessed from any page on the web. This allowed a malicious website to fingerprint the extensions that a user has installed or exploit vulnerabilities (for example XSS bugs) within installed extensions.

Beginning with Manifest V2, access to those resources was limited to protect the privacy of users. MV2 extensions exposed only those resources explicitly designated as web accessible.

Manifest V3 provides finer-grained control, letting you expose individual resources to specified pages, domains, or extensions.

Manifest declaration

An array of objects that declare resource access rules. Each object maps an array of extension resources to an array of URLs and/or extension IDs that can access those resources.

{
...
"web_accessible_resources": [
{
"resources": [ "test1.png", "test2.png" ],
"matches": [ "https://web-accessible-resources-1.glitch.me/*" ]
}, {
"resources": [ "test3.png", "test4.png" ],
"matches": [ "https://web-accessible-resources-2.glitch.me/*" ],
"use_dynamic_url": true
}
],
...
}

Each object in the array contains these properties:

resources
An array of resources to be exposed. Resources are specified as strings and may contain * for wildcard matches. For example, "/images/*" exposes everything in the extension's /images directory recursively while "*.png" exposes all PNG files.
matches
A list of URL match patterns specifying which pages can access the resources. Only the origin is used to match URLs; subdomains patterns (*.google.com) and paths are ignored.
extension_ids
A list of extension IDs, specifying which extensions can access the resources.
use_dynamic_url
If true, only allow resources to be accessible through dynamic ID. The dynamic ID is generated per session. It's regenerated on browser restart or extension reload.

Each element must include a "resources" element and either a "matches" or "extension_ids" element. This establishes a mapping that exposes the specified resources to web pages matching the pattern or to specified extensions.

These resources are available in a webpage via the URL chrome-extension://[PACKAGE ID]/[PATH], which can be generated with the runtime.getURL method. The resources are served with appropriate CORS headers, so they're available via mechanisms like XHR.

A navigation from a web origin to an extension resource will be blocked unless the resource is listed as web accessible. Note these corner cases:

  • When an extension uses the webRequest or declarativeWebRequest APIs to redirect a public resource request to a resource that is not web accessible, such request is also blocked.
  • The above holds true even if the resource that is not web accessible is owned by the redirecting extension.

Content scripts themselves do not need to be allowed.

Example

The Web Accessible Resources example demonstrates the use of this element in a working extension.

Last updated: Improve article

We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.