content_security_policy

Type	`String`
Mandatory	No
Manifest version	2 or higher
Example	Manifest V2: json `"content_security_policy": "default-src 'self'"` Manifest V3: json `"content_security_policy": { "extension_pages": "default-src 'self'" }`

Extensions have a content security policy (CSP) applied to them by default. The default policy restricts the sources from which extensions can load code (such as <script> resources) and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this.

You can use the "content_security_policy" manifest key to loosen or tighten the default policy. This key is specified in the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of CSP syntax.

For example, you can use this key to:

Restrict permitted sources for other types of content, such as images and stylesheets, using the appropriate policy directive.
Allow the extension to take advantage of WebAssembly by including the 'wasm-unsafe-eval' source in the script-src directive.
Loosen the default script-src policies (Manifest V2 only):
- Allow the extension to load scripts from outside its package by supplying their URL in the script-src directive.
- Allow the extension to execute inline scripts by supplying the hash of the script in the script-src directive.
- Allow the extension to use eval() and similar features by including 'unsafe-eval' in the script-src directive.

There are restrictions on the policy you can specify with this manifest key:

The script-src directive must include at least the 'self' keyword and may only contain secure sources. The set of permitted secure sources differs between Manifest V2 and Manifest V3.
The policy may include default-src alone (without script-src) if its sources meet the requirement for the script-src directive.
The object-src keyword may be required, see object-src directive for details.
Directives that reference code – script-src, script-src-elem, worker-src, and default-src (if used as a fallback) – share the same secure source requirement. There are no restrictions on CSP directives that cover non-script content, such as img-src.

In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are 'none', 'self', and 'wasm-unsafe-eval'. However, during development, you can access the localhost for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147 by setting the origin as localhost or 127.0.0.1.

In Manifest V2, a source for a script directive is considered secure if it meets these criteria:

Wildcard hosts are not permitted, such as "script-src 'self' *".
Remote sources must use https: schemes.
Remote sources must not use wildcards for any domains in the public suffix list (so *.co.uk and *.blogspot.com are not allowed, although *.foo.blogspot.com is permitted).
All sources must specify a host.
The only permitted schemes for sources are blob:, filesystem:, moz-extension:, https:, and wss:.
The only permitted keywords are: 'none', 'self', 'unsafe-eval', and 'wasm-unsafe-eval'.

object-src directive

The object-src directive may be required in some browsers that support obsolete plugins and should be set to a secure source such as 'none' if needed. This may be necessary for browsers up until 2022.

In Firefox, "object-src" is optional from Firefox 106. In earlier versions, if "object-src" isn't specified, "content_security_policy" is ignored and the default CSP is used.
In Chrome, "object-src" is required. If it's missing or deemed insecure, the default ("object-src 'self'") is used and a warning message logged.
In Safari, there is no requirement for "object-src".

See W3C WebExtensions Community Group issue 204, Remove object-src from the CSP, for more information.

Manifest V2 syntax

In Manifest V2, there is one content security policy specified against the key like this:

json

"content_security_policy": "default-src 'self'"

Manifest V3 syntax

In Manifest V3, the content_security_policy key is an object that may have any of these properties, all optional:

Name	Type	Description
`extension_pages`	`String`	The content security policy used for extension pages. The `script-src` and `worker-src` directives may only have these values: `'self'` `'none'` `'wasm-unsafe-eval'`
`sandbox`	`String`	The content security policy used for sandboxed extension pages.

Examples

Valid examples

Note: Valid examples demonstrate the correct use of keys in CSP. However, extensions with 'unsafe-eval', remote script, blob, or remote sources in their CSP are not allowed for Firefox extensions per the add-on policies and due to significant security issues.

Note: Some examples include the object-src directive, which provides backward compatibility for older browser versions. See object-src directive for more details.

Require that all types of content should be packaged with the extension:

Manifest V2

json

"content_security_policy": "default-src 'self'"

Manifest V3

json

"content_security_policy": {
  "extension_pages": "default-src 'self'"
}

Allow remote scripts from "https://example.com":

Manifest V2

json

"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

Manifest V3 does not allow remote URLs in script-src of extension_pages.

Allow remote scripts from any subdomain of "jquery.com":

Manifest V2

json

"content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'"

Manifest V3 does not allow remote URLs in script-src of extension_pages. However, the localhost can be accessed during development for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147:
json
```
"content_security_policy": {
  "extension_pages": "script-src 'self' http://localhost:3000"
}
```

Allow eval() and friends:

Manifest V2

json

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"

Manifest V3 does not allow 'unsafe-eval' in script-src.

Allow the inline script: "<script>alert('Hello, world.');</script>":

Manifest V2

json

"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"

Manifest V3 does not allow CSP hashes in script-src of extension_pages.

Keep the rest of the policy, but also require that images should be packaged with the extension:

Manifest V2

json

"content_security_policy": "script-src 'self'; object-src 'self'; img-src 'self'"

Manifest V3

json

"content_security_policy": {
  "extension_pages": "script-src 'self'; img-src 'self'"
}

Enable the use of WebAssembly:

Manifest V2

For backward compatibility, Manifest V2 extensions in Firefox can use WebAssembly without the use of 'wasm-unsafe-eval'. However, this behavior isn't guaranteed. See Firefox bug 1770909. Extensions using WebAssembly are therefore encouraged to declare 'wasm-unsafe-eval' in their CSP. See WebAssembly on the Content Security Policy page for more information.
json
```
"content_security_policy": "script-src 'self' 'wasm-unsafe-eval'"
```

Manifest V3

json

"content_security_policy": {
  "extension_pages": "script-src 'self' 'wasm-unsafe-eval'"
}

Invalid examples

Policy that omits the "object-src" directive:

json

"content_security_policy": "script-src 'self' https://*.jquery.com;"

However, this is only invalid in browsers that support obsolete plugins. See object-src directive for more details.

Policy that omits the "self" keyword in the "script-src" directive:

json

"content_security_policy": "script-src https://*.jquery.com; object-src 'self'"

Scheme for a remote source is not https:

json

"content_security_policy": "script-src 'self' http://code.jquery.com; object-src 'self'"

Wildcard is used with a generic domain:

json

"content_security_policy": "script-src 'self' https://*.blogspot.com; object-src 'self'"

Source specifies a scheme but no host:

json

"content_security_policy": "script-src 'self' https:; object-src 'self'"

Directive includes the unsupported keyword 'unsafe-inline':

json

"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'"

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on ⁨Jan 1, 1970⁩ by MDN contributors.

View this page on GitHub • Report a problem with this content