Type | String |
---|---|
Mandatory | No |
Example |
"content_security_policy": "default-src 'self'" |
Extensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load<script> and <object> resources, and disallows potentially unsafe practices such as the use of eval()
. See Default content security policy to learn more about the implications of this.
You can use the "content_security_policy"
manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of CSP syntax.
For example, you can use this key to:
- Allow the extension to load scripts and objects from outside its package, by supplying their URL in the
script-src
orobject-src
directives. - Allow the extension to execute inline scripts, by supplying the hash of the script in the
"script-src"
directive. - Allow the extension to use
eval()
and similar features, by including'unsafe-eval'
in thescript-src
directive. - Restrict permitted sources for other types of content, such as images and stylesheets, using the appropriate policy directive.
There are restrictions on the policy you can specify here:
- The policy must include at least the
script-src
and theobject-src
directives, and thescript-src
directive must contain the keyword'self'
. - Remote sources must use
https:
schemes. - Remote sources must not use wildcards for any domains in the public suffix list (so "*.co.uk" and "*.blogspot.com" are not allowed, although "*.foo.blogspot.com" is allowed).
- All sources must specify a host.
- The only permitted schemes for sources are:
blob:
,filesystem:
,moz-extension:
, andhttps:
. - The only permitted keywords are:
'none'
,'self'
, and'unsafe-eval'
.
Example
Valid examples
Allow remote scripts from "https://example.com": (see note 1 )
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"
Allow remote scripts from any subdomain of "jquery.com":
"content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'"
Allow eval()
and friends:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"
Allow the inline script: "<script>alert('Hello, world.');</script>"
:
"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"
Keep the rest of the policy, but also require that images should be packaged with the extension:
"content_security_policy": "script-src 'self'; object-src 'self'; img-src 'self'"
Require that all types of content should be packaged with the extension:
"content_security_policy": "default-src 'self'"
Invalid examples
Policy that omits the "object-src"
directive:
"content_security_policy": "script-src 'self' https://*.jquery.com;"
Policy that omits the "self"
keyword in the "script-src"
directive:
"content_security_policy": "script-src https://*.jquery.com; object-src 'self'"
Scheme for a remote source is not https
:
"content_security_policy": "script-src 'self' http://code.jquery.com; object-src 'self'"
Wildcard is used with a generic domain:
"content_security_policy": "script-src 'self' https://*.blogspot.com; object-src 'self'"
Source specifies a scheme but no host:
"content_security_policy": "script-src 'self' https:; object-src 'self'"
Directive includes the unsupported keyword 'unsafe-inline'
:
"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'"
1. Note: Valid examples display the correct use of keys in CSP. However, extensions with 'unsafe-eval', 'unsafe-inline', remote script, or remote sources in their CSP are not allowed for extensions listed on addons.mozilla.org due to major security issues.
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Chrome | Edge | Firefox | Firefox for Android | Opera | |
---|---|---|---|---|---|
Basic support | Yes | Yes 1 | 48 2 | 48 2 | Yes |
2. Firefox does not support 'http://127.0.0.1' or 'http://localhost' as script sources: they must be served over HTTPS.