content_security_policy

Type String
Mandatory No
Example
"content_security_policy": "default-src 'self'"

Extensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load<script> and <object> resources, and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this.

You can use the "content_security_policy" manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of CSP syntax.

For example, you can use this key to:

There are restrictions on the policy you can specify here:

  • The policy must include at least the script-src and the object-src directives, and the script-src directive must contain the keyword 'self'.
  • Remote sources must use https: schemes.
  • Remote sources must not use wildcards for any domains in the public suffix list (so "*.co.uk" and "*.blogspot.com" are not allowed, although "*.foo.blogspot.com" is allowed).
  • All sources must specify a host.
  • The only permitted schemes for sources are: blob:, filesystem:, moz-extension:, and https:.
  • The only permitted keywords are: 'none', 'self', and 'unsafe-eval'.

Example

Valid examples

Allow remote scripts from "https://example.com": (see note 1)

"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

Allow remote scripts from any subdomain of "jquery.com":

"content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'"

Allow eval() and friends:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"

Allow the inline script: "<script>alert('Hello, world.');</script>":

"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"

Keep the rest of the policy, but also require that images should be packaged with the extension:

"content_security_policy": "script-src 'self'; object-src 'self'; img-src 'self'"

Require that all types of content should be packaged with the extension:

"content_security_policy": "default-src 'self'"

Invalid examples

Policy that omits the "object-src" directive:

"content_security_policy": "script-src 'self' https://*.jquery.com;"

Policy that omits the "self" keyword in the "script-src" directive:

"content_security_policy": "script-src https://*.jquery.com; object-src 'self'"

Scheme for a remote source is not https:

"content_security_policy": "script-src 'self' http://code.jquery.com; object-src 'self'"

Wildcard is used with a generic domain:

"content_security_policy": "script-src 'self' https://*.blogspot.com; object-src 'self'"

Source specifies a scheme but no host:

"content_security_policy": "script-src 'self' https:; object-src 'self'"

Directive includes the unsupported keyword 'unsafe-inline':

"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'"

1. Note: Valid examples display the correct use of keys in CSP. However, extensions with 'unsafe-eval', 'unsafe-inline', remote script, blob, or remote sources in their CSP are not allowed for extensions listed on addons.mozilla.org due to major security issues.

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxOperaSafariFirefox for Android
content_security_policyChrome Full support YesEdge Full support 14
Notes
Full support 14
Notes
Notes Only the default content security policy is supported: "script-src 'self'; object-src 'self';".
Firefox Full support 48
Notes
Full support 48
Notes
Notes Firefox does not support 'http://127.0.0.1' or 'http://localhost' as script sources: they must be served over HTTPS.
Opera Full support YesSafari Full support 14Firefox Android No support No
content_scriptsChrome No support No
Notes
No support No
Notes
Notes See isolated_world.
Edge No support No
Notes
No support No
Notes
Notes See isolated_world.
Firefox Full support 72
Disabled
Full support 72
Disabled
Disabled From version 72: this feature is behind the extensions.content_script_csp.enabled preference (needs to be set to true) and the extensions.content_script_csp.report_only preference (needs to be set to false). To change preferences in Firefox, visit about:config.
Opera No support No
Notes
No support No
Notes
Notes See isolated_world.
Safari No support NoFirefox Android No support No
extension_pagesChrome No support No
Notes
No support No
Notes
Notes Available in Canary builds.
Edge No support No
Notes
No support No
Notes
Notes Available in Canary builds.
Firefox Full support 72
Disabled
Full support 72
Disabled
Disabled From version 72: this feature is behind the extensions.content_script_csp.enabled preference (needs to be set to true) and the extensions.content_script_csp.report_only preference (needs to be set to false). To change preferences in Firefox, visit about:config.
Opera No support NoSafari No support NoFirefox Android No support No
isolated_worldChrome No support No
Notes
No support No
Notes
Notes Not yet implemented.
Edge No support No
Notes
No support No
Notes
Notes Not yet implemented.
Firefox No support No
Notes
No support No
Notes
Notes See content_scripts.
Opera No support NoSafari No support NoFirefox Android No support No
Notes
No support No
Notes
Notes See content_scripts.
sandboxChrome No support No
Notes
No support No
Notes
Notes Available in Canary builds.
Edge No support No
Notes
No support No
Notes
Notes Available in Canary builds.
Firefox No support No
Notes
No support No
Notes
Notes Firefox does not support sandboxed scripts, so this key is not applicable.
Opera No support NoSafari No support NoFirefox Android No support No
Notes
No support No
Notes
Notes Firefox does not support sandboxed scripts, so this key is not applicable.

Legend

Full support  
Full support
No support  
No support
See implementation notes.
See implementation notes.
User must explicitly enable this feature.
User must explicitly enable this feature.