content_security_policy

Type String
Mandatory No
Manifest version 2 or higher
Example
"content_security_policy": "default-src 'self'"

Extensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load <script> and <object> resources, and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this.

You can use the "content_security_policy" manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of CSP syntax.

For example, you can use this key to:

There are restrictions on the policy you can specify here:

  • The policy may include just default-src, but if not the policy must include at least the script-src and the object-src directives, and the script-src directive must contain the keyword 'self'.
  • Remote sources must use https: schemes.
  • Remote sources must not use wildcards for any domains in the public suffix list (so "*.co.uk" and "*.blogspot.com" are not allowed, although "*.foo.blogspot.com" is allowed).
  • All sources must specify a host.
  • The only permitted schemes for sources are: blob:, filesystem:, moz-extension:, https:, and wss:.
  • The only permitted keywords are: 'none', 'self', and 'unsafe-eval'.

Manifest V2 syntax

In Manifest V2 there is one content security policy specified against the key, like this:

"content_security_policy": "default-src 'self'"

Manifest V3 syntax

In Manifest V3, the content_security_policy key is an object that may have any of the following properties, all optional:

Name Type Description
extension_pages String The content security policy used for extension pages. The script-src, object-src, and worker-src directives may only have these values:
  • self
  • none
  • Any localhost source, (http://localhost, http://127.0.0.1, or any port on those domains.)
sandbox String The content security policy used for sandboxed extension pages.

Example

Valid examples

Note: Valid examples demonstrate the correct use of keys in CSP. However, extensions with 'unsafe-eval', remote script, blob, or remote sources in their CSP are not allowed for Firefox extensions as per the add-on policies and due to major security issues.

Require that all types of content should be packaged with the extension:

Manifest V2

"content_security_policy": "default-src 'self'"

Manifest V3

"content_security_policy": {
  "extension_page": "default-src 'self'"
} 

Allow remote scripts from "https://example.com":

Manifest V2

"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

Manifest V3

"content_security_policy": {
  "extension_page": "script-src 'self' https://example.com; object-src 'self'"
} 

Allow remote scripts from any subdomain of "jquery.com":

Manifest V2

"content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'"

Manifest V3

"content_security_policy": {
  "extension_page": "script-src 'self' https://*.jquery.com; object-src 'self'"
} 

Allow eval() and friends:

Manifest V2

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"

Manifest V3

"content_security_policy": {
  "extension_page": "script-src 'self' 'unsafe-eval'; object-src 'self';"
} 

Allow the inline script: "<script>alert('Hello, world.');</script>":

Manifest V2

"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"

Manifest V3

"content_security_policy": {
  "extension_page": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"
} 

Keep the rest of the policy, but also require that images should be packaged with the extension:

Manifest V2

"content_security_policy": "script-src 'self'; object-src 'self'; img-src 'self'"

Manifest V3

"content_security_policy": {
  "extension_page": "script-src 'self'; object-src 'self'; img-src 'self'"
} 

Invalid examples

Policy that omits the "object-src" directive:

"content_security_policy": "script-src 'self' https://*.jquery.com;"

Policy that omits the "self" keyword in the "script-src" directive:

"content_security_policy": "script-src https://*.jquery.com; object-src 'self'"

Scheme for a remote source is not https:

"content_security_policy": "script-src 'self' http://code.jquery.com; object-src 'self'"

Wildcard is used with a generic domain:

"content_security_policy": "script-src 'self' https://*.blogspot.com; object-src 'self'"

Source specifies a scheme but no host:

"content_security_policy": "script-src 'self' https:; object-src 'self'"

Directive includes the unsupported keyword 'unsafe-inline':

"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'"

Browser compatibility

BCD tables only load in the browser