| Type | String |
|---|---|
| Mandatory | No |
| Example |
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'" |
WebExtensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load <script> and <object> resources, and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this.
You can use the "content_security_policy" manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of CSP syntax.
For example, you can use this key to:
- Allow the WebExtension to load scripts and objects from outside its package, by supplying their URL in the
"script-src"or"object-src"directives. - Allow the WebExtension to execute inline scripts, by supplying the hash of the script in the
"script-src"directive. - Allow the WebExtension to use
eval()and similar features, by including'unsafe-eval'in the"script-src"directive. - Restrict permitted sources for other types of content, such as images and stylesheets, using the appropriate policy directive.
There are restrictions on the policy you can specify here:
- The policy must include at least the
"script-src"and the"object-src"directives, and the"script-src"directive must contain the keyword'self'. - Remote sources must use
https:schemes. - Remote sources must not use wildcards for any domains in the public suffix list (so "*.co.uk" and "*.blogspot.com" are not allowed, although "*.foo.blogspot.com" is allowed).
- All sources must specify a host.
- The only permitted schemes for sources are:
blob:,filesystem:,moz-extension:, andhttps:. - The only permitted keywords are:
'none','self', and'unsafe-eval'.
Chrome incompatibilities
content_security_policy
Firefox does not support:
- "https://127.0.0.1" or "https://localhost" as script sources: they must be served over HTTPS.
Example
Valid examples
Allow remote scripts from "https://example.com":
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"
Allow remote scripts from any subdomain of "jquery.com":
"content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'"
Allow eval() and friends:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"
Allow the inline script: "<script>alert('Hello, world.');</script>":
"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"
Keep the rest of the policy, but also require that images should be packaged with the add-on:
"content_security_policy": "script-src 'self'; object-src 'self'; img-src 'self'"
Require that all types of content should be packaged with the add-on:
"content_security_policy": "default-src 'self'"
Invalid examples
Policy that omits the "object-src" directive:
"content_security_policy": "script-src 'self' https://*.jquery.com;"
Policy that omits the "self" keyword in the "script-src" directive:
"content_security_policy": "script-src https://*.jquery.com; object-src 'self'"
Scheme for a remote source is not https:
"content_security_policy": "script-src 'self' https://code.jquery.com; object-src 'self'"
Wildcard is used with a generic domain:
"content_security_policy": "script-src 'self' https://*.blogspot.com; object-src 'self'"
Source specifies a scheme but no host:
"content_security_policy": "script-src 'self' https:; object-src 'self'"
Directive includes the unsupported keyword 'unsafe-inline':
"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'"