Please note, this is a STATIC archive of website developer.mozilla.org from 03 Nov 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Revision 1065576 of content_security_policy

  • Revision slug: Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy
  • Revision title: content_security_policy
  • Revision id: 1065576
  • Created:
  • Creator: wbamberg
  • Is current revision? No
  • Comment

Revision Content
{{AddonSidebar}}
Type String
Mandatory No
Example 
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

WebExtensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load <script> and <object> resources, and disallows potentially unsafe practices such as the use of eval(). See the Content Security Policy page for more details.

You can use the "content_security_policy" manifest key to loosen or tighten the default policy.

This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of the syntax.

In general, you can use this key to:

There are restrictions on the policy you can specify here:

  • The policy must include at least the "script-src" and the "object-src" directives, and these directives must contain the keyword 'self'.
  • Remote sources must use https: schemes.
  • Remote sources must not use wildcards for any domains in the public suffix list (so "*.co.uk" and "*.blogspot.com" are not allowed, although "*.foo.blogspot.com" is allowed).
  • All sources must specify a host.
  • The only permitted schemes for sources are: blob:, filesystem:, moz-extension:, and https:.
  • The only permitted keywords are: 'none', 'self', and 'unsafe-eval'.

{{WebExtCompat()}}

Example

Valid examples

Allow remote scripts from "https://example.com":

"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

Allow remote scripts from any subdomain of "jquery.com":

"content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'"

Allow eval() and friends:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"

Allow the inline script: "<script>alert('Hello, world.');</script>":

"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"

Keep the rest of the policy, but also require that images should be packaged with the add-on:

"content_security_policy": "script-src 'self'; object-src 'self'; img-src 'self'"

Require that all types of content should be packaged with the add-on:

"content_security_policy": "default-src 'self'"

Invalid examples

Policy that omits the "script-src" directive:

"content_security_policy": "script-src 'self' https://*.jquery.com;"

Policy that omits the "self" keyword in the "script-src" directive:

"content_security_policy": "script-src https://*.jquery.com; object-src 'self'"

Scheme for a remote source is not https:

"content_security_policy": "script-src 'self' https://code.jquery.com; object-src 'self'"

Wildcard is used with a generic domain:

"content_security_policy": "script-src 'self' https://*.blogspot.com; object-src 'self'"

Source specifies a scheme but no host:

  "content_security_policy": "script-src 'self' https:; object-src 'self'"

Directive includes the unsupported keyword 'unsafe-inline':

"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'"

 

 

Revision Source

 
<div>{{AddonSidebar}}</div>

<table class="fullwidth-table standard-table">
 <tbody>
  <tr>
   <th scope="row" style="width: 30%;">Type</th>
   <td><code>String</code></td>
  </tr>
  <tr>
   <th scope="row">Mandatory</th>
   <td>No</td>
  </tr>
  <tr>
   <th scope="row">Example</th>
   <td>
    <pre class="brush: json">
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"</pre>
   </td>
  </tr>
 </tbody>
</table>

<p>WebExtensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load<strong><a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script"> </a></strong><a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script">&lt;script&gt;</a> and <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/object">&lt;object&gt;</a> resources, and disallows potentially unsafe practices such as the use of <code><a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval">eval()</a></code>. See the <a href="/en-US/Add-ons/WebExtensions/Content_Security_Policy">Content Security Policy</a> page for more details.</p>

<p>You can use the <code>"content_security_policy"</code> manifest key to loosen or tighten the default policy.</p>

<p>This key is specified in just the same way as the Content-Security-Policy HTTP header. See <a href="/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy">Using Content Security Policy</a> for a general description of the syntax.</p>

<p>In general, you can use this key to:</p>

<ul>
 <li>Allow the WebExtension to load scripts and objects from outside its package, by supplying their URL in the <code><a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#script-src">"script-src"</a></code> or <code><a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#object-src">"object-src"</a></code> directives..</li>
 <li>Allow the WebExtension to execute inline scripts, by <a href="https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage">supplying the hash of the script in the <code>"script-src"</code> directive</a>.</li>
 <li>Allow the WebExtension to use <code>eval()</code> and similar features, by including&nbsp;<code>'unsafe-eval'</code> in the&nbsp;<code><a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#script-src">"script-src"</a></code> directive.</li>
 <li>Restrict permitted sources for other types of content, such as images and stylesheets, using the appropriate <a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives">policy directive</a>.</li>
</ul>

<p>There are restrictions on the policy you can specify here:</p>

<ul>
 <li>The policy must include at least the <code><a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#script-src">"script-src"</a></code> and the <code><a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#object-src">"object-src"</a></code> directives, and these directives must contain the keyword <code>'self'</code>.</li>
 <li>Remote sources must use <code>https:</code> schemes.</li>
 <li>Remote sources must not use wildcards for any domains in the <a href="https://publicsuffix.org/list/">public suffix list</a> (so "*.co.uk" and "*.blogspot.com" are not allowed, although "*.foo.blogspot.com" is allowed).</li>
 <li>All sources must specify a host.</li>
 <li>The only permitted schemes for sources are: <code>blob:</code>, <code>filesystem:</code>, <code>moz-extension:</code>, and <code>https:</code>.</li>
 <li>The only permitted <a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#Keywords">keywords</a> are: <code>'none'</code>, <code>'self'</code>, and <code>'unsafe-eval'</code>.</li>
</ul>

<p>{{WebExtCompat()}}</p>

<h2 id="Example">Example</h2>

<h3 id="Valid_examples">Valid examples</h3>

<p>Allow remote scripts from "https://example.com":</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"</pre>

<p>Allow remote scripts from any subdomain of "jquery.com":</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'"</pre>

<p>Allow <a href="/en-US/Add-ons/WebExtensions/Content_Security_Policy#eval%28%29_and_friends"><code>eval()</code> and friends</a>:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"</pre>

<p>Allow the inline script: <code>"&lt;script&gt;alert('Hello, world.');&lt;/script&gt;"</code>:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"</pre>

<p>Keep the rest of the policy, but also require that images should be packaged with the add-on:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self'; object-src 'self'; img-src 'self'"</pre>

<p>Require that all types of content should be packaged with the add-on:</p>

<pre class="brush: json">
"content_security_policy": "default-src 'self'"
</pre>

<h3>Invalid examples</h3>

<p>Policy that omits the <code>"script-src"</code> directive:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' https://*.jquery.com;"</pre>

<p>Policy that omits the <code>"self"</code> keyword in the <code>"script-src"</code> directive:</p>

<pre class="brush: json">
"content_security_policy": "script-src https://*.jquery.com; object-src 'self'"</pre>

<p>Scheme for a remote source is not <code>https</code>:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' https://code.jquery.com; object-src 'self'"</pre>

<p>Wildcard is used with a generic domain:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' https://*.blogspot.com; object-src 'self'"</pre>

<p>Source specifies a scheme but no host:</p>

<pre class="brush: js">
  "content_security_policy": "script-src 'self' https:; object-src 'self'"</pre>

<p>Directive includes the unsupported keyword <code>'unsafe-inline'</code>:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'"</pre>

<p>&nbsp;</p>

<p>&nbsp;</p>
Revert to this revision