Please note, this is a STATIC archive of website developer.mozilla.org from 03 Nov 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Revision 1065622 of content_security_policy

  • Revision slug: Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy
  • Revision title: content_security_policy
  • Revision id: 1065622
  • Created:
  • Creator: wbamberg
  • Is current revision? No
  • Comment

Revision Content
{{AddonSidebar}}
Type String
Mandatory No
Example 
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

WebExtensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load <script> and <object> resources, and disallows potentially unsafe practices such as the use of eval(). See the Default content security policy page to learn more about the implications of this.

You can use the "content_security_policy" manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of the syntax.

For example, you can use this key to:

There are restrictions on the policy you can specify here:

  • The policy must include at least the "script-src" and the "object-src" directives, and these directives must contain the keyword 'self'.
  • Remote sources must use https: schemes.
  • Remote sources must not use wildcards for any domains in the public suffix list (so "*.co.uk" and "*.blogspot.com" are not allowed, although "*.foo.blogspot.com" is allowed).
  • All sources must specify a host.
  • The only permitted schemes for sources are: blob:, filesystem:, moz-extension:, and https:.
  • The only permitted keywords are: 'none', 'self', and 'unsafe-eval'.

{{WebExtCompat()}}

Example

Valid examples

Allow remote scripts from "https://example.com":

"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

Allow remote scripts from any subdomain of "jquery.com":

"content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'"

Allow eval() and friends:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"

Allow the inline script: "<script>alert('Hello, world.');</script>":

"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"

Keep the rest of the policy, but also require that images should be packaged with the add-on:

"content_security_policy": "script-src 'self'; object-src 'self'; img-src 'self'"

Require that all types of content should be packaged with the add-on:

"content_security_policy": "default-src 'self'"

Invalid examples

Policy that omits the "object-src" directive:

"content_security_policy": "script-src 'self' https://*.jquery.com;"

Policy that omits the "self" keyword in the "script-src" directive:

"content_security_policy": "script-src https://*.jquery.com; object-src 'self'"

Scheme for a remote source is not https:

"content_security_policy": "script-src 'self' https://code.jquery.com; object-src 'self'"

Wildcard is used with a generic domain:

"content_security_policy": "script-src 'self' https://*.blogspot.com; object-src 'self'"

Source specifies a scheme but no host:

"content_security_policy": "script-src 'self' https:; object-src 'self'"

Directive includes the unsupported keyword 'unsafe-inline':

"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'"

 

 

Revision Source

 
<div>{{AddonSidebar}}</div>

<table class="fullwidth-table standard-table">
 <tbody>
  <tr>
   <th scope="row" style="width: 30%;">Type</th>
   <td><code>String</code></td>
  </tr>
  <tr>
   <th scope="row">Mandatory</th>
   <td>No</td>
  </tr>
  <tr>
   <th scope="row">Example</th>
   <td>
    <pre class="brush: json">
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"</pre>
   </td>
  </tr>
 </tbody>
</table>

<p>WebExtensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load<strong><a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script"> </a></strong><a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script">&lt;script&gt;</a> and <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/object">&lt;object&gt;</a> resources, and disallows potentially unsafe practices such as the use of <code><a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval">eval()</a></code>. See the <a href="/en-US/Add-ons/WebExtensions/Content_Security_Policy#Default_content_security_policy">Default content security policy</a> page to learn more about the implications of this.</p>

<p>You can use the <code>"content_security_policy"</code> manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See <a href="/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy">Using Content Security Policy</a> for a general description of the syntax.</p>

<p>For example, you can use this key to:</p>

<ul>
 <li>Allow the WebExtension to load scripts and objects from outside its package, by supplying their URL in the <code><a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#script-src">"script-src"</a></code> or <code><a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#object-src">"object-src"</a></code> directives..</li>
 <li>Allow the WebExtension to execute inline scripts, by <a href="https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage">supplying the hash of the script in the <code>"script-src"</code> directive</a>.</li>
 <li>Allow the WebExtension to use <code>eval()</code> and similar features, by including&nbsp;<code>'unsafe-eval'</code> in the&nbsp;<code><a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#script-src">"script-src"</a></code> directive.</li>
 <li>Restrict permitted sources for other types of content, such as images and stylesheets, using the appropriate <a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives">policy directive</a>.</li>
</ul>

<p>There are restrictions on the policy you can specify here:</p>

<ul>
 <li>The policy must include at least the <code><a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#script-src">"script-src"</a></code> and the <code><a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#object-src">"object-src"</a></code> directives, and these directives must contain the keyword <code>'self'</code>.</li>
 <li>Remote sources must use <code>https:</code> schemes.</li>
 <li>Remote sources must not use wildcards for any domains in the <a href="https://publicsuffix.org/list/">public suffix list</a> (so "*.co.uk" and "*.blogspot.com" are not allowed, although "*.foo.blogspot.com" is allowed).</li>
 <li>All sources must specify a host.</li>
 <li>The only permitted schemes for sources are: <code>blob:</code>, <code>filesystem:</code>, <code>moz-extension:</code>, and <code>https:</code>.</li>
 <li>The only permitted <a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#Keywords">keywords</a> are: <code>'none'</code>, <code>'self'</code>, and <code>'unsafe-eval'</code>.</li>
</ul>

<p>{{WebExtCompat()}}</p>

<h2 id="Example">Example</h2>

<h3 id="Valid_examples">Valid examples</h3>

<p>Allow remote scripts from "https://example.com":</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"</pre>

<p>Allow remote scripts from any subdomain of "jquery.com":</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'"</pre>

<p>Allow <a href="/en-US/Add-ons/WebExtensions/Content_Security_Policy#eval%28%29_and_friends"><code>eval()</code> and friends</a>:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"</pre>

<p>Allow the inline script: <code>"&lt;script&gt;alert('Hello, world.');&lt;/script&gt;"</code>:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"</pre>

<p>Keep the rest of the policy, but also require that images should be packaged with the add-on:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self'; object-src 'self'; img-src 'self'"</pre>

<p>Require that all types of content should be packaged with the add-on:</p>

<pre class="brush: json">
"content_security_policy": "default-src 'self'"
</pre>

<h3 id="Invalid_examples">Invalid examples</h3>

<p>Policy that omits the <code>"object-src"</code> directive:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' https://*.jquery.com;"</pre>

<p>Policy that omits the <code>"self"</code> keyword in the <code>"script-src"</code> directive:</p>

<pre class="brush: json">
"content_security_policy": "script-src https://*.jquery.com; object-src 'self'"</pre>

<p>Scheme for a remote source is not <code>https</code>:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' https://code.jquery.com; object-src 'self'"</pre>

<p>Wildcard is used with a generic domain:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' https://*.blogspot.com; object-src 'self'"</pre>

<p>Source specifies a scheme but no host:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' https:; object-src 'self'"</pre>

<p>Directive includes the unsupported keyword <code>'unsafe-inline'</code>:</p>

<pre class="brush: json">
"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'"</pre>

<p>&nbsp;</p>

<p>&nbsp;</p>
Revert to this revision