For example, the Beastify example extension replaces a web page with an image of a beast selected by the user. The beast images are packaged with the extension. To make the selected image visible, the extension adds
<img> elements whose
src attribute points to the beast's image. For the web page to be able to load the images, they must be made web accessible.
web_accessible_resources key, you list all the packaged resources that you want to make available to web pages. You specify them as paths relative to the manifest.json file.
Note that content scripts don't need to be listed as web accessible resources.
If an extension wants to use
webRequest to redirect a public URL (e.g., HTTPS) to a page that's packaged in the extension, then the extension must list the page in the
For example, suppose your extension includes an image file at images/my-image.png, like this:
my-extension-files/ manifest.json my-background-script.js images/ my-image.png
To enable a web page to use an
<img> element whose
src attribute points to this image, you would specify
web_accessible_resources like this:
The file is then available using a URL like:
<extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed.
Note: In Chrome, an extension's ID is fixed. When a resource is listed in
web_accessible_resources, it is accessible as
The recommended approach to obtaining the URL of the resource is to use
runtime.getURL passing the path relative to manifest.json, for example:
browser.runtime.getURL("images/my-image.png"); // something like: // moz-extension://944cfddf-7a95-3c47-bd9a-663b3ce8d699/images/my-image.png
This approach gives you the correct URL regardless of the browser your extension is running on.
web_accessible_resources entries can contain wildcards. For example, the following entry would also work to include the resource at "images/my-image.png":
Note that if you make a page web-accessible, any website may link or redirect to that page. The page should then treat any input (POST data, for examples) as if it came from an untrusted source, just as a normal web page should.
Web-accessible extension resources are not blocked by CORS or CSP. Because of this ability to bypass security checks, extensions should avoid the use of web-accessible scripts when possible. A web-accessible extension script can unexpectedly be misused by malcious websites to weaken the security of other websites. Follow the security best practices by avoiding injection of moz-extension:-URLs in web pages and ensuring that third-party libraries are up to date.
Make the file at "images/my-image.png" web accessible.
BCD tables only load in the browser