<!doctype html><html lang="en-US" prefix="og: https://ogp.me/ns#"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="https://developer.mozilla.org/favicon-48x48.bc390275e955dacb2e65.png"/><link rel="apple-touch-icon" href="https://developer.mozilla.org/apple-touch-icon.528534bba673c38049c2.png"/><meta name="theme-color" content="#ffffff"/><link rel="manifest" href="https://developer.mozilla.org/manifest.f42880861b394dd4dc9b.json"/><link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="MDN Web Docs"/><title>content_security_policy - Mozilla | MDN</title><link rel="alternate" title="content_security_policy" href="https://developer.mozilla.org/de/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy" hrefLang="de"/><link rel="alternate" title="content_security_policy" href="https://developer.mozilla.org/fr/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy" hrefLang="fr"/><link rel="alternate" title="content_security_policy" href="https://developer.mozilla.org/ja/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy" hrefLang="ja"/><link rel="alternate" title="content_security_policy" href="https://developer.mozilla.org/ru/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy" hrefLang="ru"/><link rel="alternate" title="content_security_policy" href="https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy" hrefLang="en"/><link rel="preload" as="font" type="font/woff2" href="/static/media/Inter.var.c2fe3cb2b7c746f7966a.woff2" crossorigin=""/><link rel="alternate" type="application/rss+xml" title="MDN Blog RSS Feed" href="https://developer.mozilla.org/en-US/blog/rss.xml" hrefLang="en"/><meta name="description" content="Extensions have a content security policy (CSP) applied to them by default. The default policy restricts the sources from which extensions can load code (such as &lt;script&gt; resources) and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this."/><meta property="og:url" content="https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy"/><meta property="og:title" content="content_security_policy - Mozilla | MDN"/><meta property="og:type" content="website"/><meta property="og:locale" content="en_US"/><meta property="og:description" content="Extensions have a content security policy (CSP) applied to them by default. The default policy restricts the sources from which extensions can load code (such as &lt;script&gt; resources) and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this."/><meta property="og:image" content="https://developer.mozilla.org/mdn-social-share.d893525a4fb5fb1f67a2.png"/><meta property="og:image:type" content="image/png"/><meta property="og:image:height" content="1080"/><meta property="og:image:width" content="1920"/><meta property="og:image:alt" content="The MDN Web Docs logo, featuring a blue accent color, displayed on a solid black background."/><meta property="og:site_name" content="MDN Web Docs"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:creator" content="MozDevNet"/><link rel="canonical" href="https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy"/><style media="print">.article-actions-container,.document-toc-container,.language-menu,.main-menu-toggle,.on-github,.page-footer,.place,.sidebar,.top-banner,.top-navigation-main,ul.prev-next{display:none!important}.main-page-content,.main-page-content pre{padding:2px}.main-page-content pre{border-left-width:2px}</style><script src="/static/js/gtag.js" defer=""></script><script defer="" src="/static/js/main.5e889624.js"></script><link href="/static/css/main.26c64ea7.css" rel="stylesheet"/></head><body><script>if(document.body.addEventListener("load",(t=>{t.target.classList.contains("interactive")&&t.target.setAttribute("data-readystate","complete")}),{capture:!0}),window&&document.documentElement){const t={light:"#ffffff",dark:"#1b1b1b"};try{const e=window.localStorage.getItem("theme");e&&(document.documentElement.className=e,document.documentElement.style.backgroundColor=t[e]);const o=window.localStorage.getItem("nop");o&&(document.documentElement.dataset.nop=o)}catch(t){console.warn("Unable to read theme from localStorage",t)}}</script><div id="root"><ul id="nav-access" class="a11y-nav"><li><a id="skip-main" href="#content">Skip to main content</a></li><li><a id="skip-search" href="#top-nav-search-input">Skip to search</a></li><li><a id="skip-select-language" href="#languages-switcher-button">Skip to select language</a></li></ul><div class="page-wrapper document-page"><div class="top-banner loading"><section class="place top container"></section></div><div class="sticky-header-container"><header class="top-navigation "><div class="container "><div class="top-navigation-wrap"><a href="/en-US/" class="logo" aria-label="MDN homepage"><svg id="mdn-docs-logo" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewBox="0 0 694.9 104.4" style="enable-background:new 0 0 694.9 104.4" xml:space="preserve" role="img"><title>MDN Web Docs</title><path d="M40.3 0 11.7 92.1H0L28.5 0h11.8zm10.4 0v92.1H40.3V0h10.4zM91 0 62.5 92.1H50.8L79.3 0H91zm10.4 0v92.1H91V0h10.4z" class="logo-m"></path><path d="M627.9 95.6h67v8.8h-67v-8.8z" class="logo-_"></path><path d="M367 42h-4l-10.7 30.8h-5.5l-10.8-26h-.4l-10.5 26h-5.2L308.7 42h-3.8v-5.6H323V42h-6.5l6.8 20.4h.4l10.3-26h4.7l11.2 26h.5l5.7-20.3h-6.2v-5.6H367V42zm34.9 20c-.4 3.2-2 5.9-4.7 8.2-2.8 2.3-6.5 3.4-11.3 3.4-5.4 0-9.7-1.6-13.1-4.7-3.3-3.2-5-7.7-5-13.7 0-5.7 1.6-10.3 4.7-14s7.4-5.5 12.9-5.5c5.1 0 9.1 1.6 11.9 4.7s4.3 6.9 4.3 11.3c0 1.5-.2 3-.5 4.7h-25.6c.3 7.7 4 11.6 10.9 11.6 2.9 0 5.1-.7 6.5-2 1.5-1.4 2.5-3 3-4.9l6 .9zM394 51.3c.2-2.4-.4-4.7-1.8-6.9s-3.8-3.3-7-3.3c-3.1 0-5.3 1-6.9 3-1.5 2-2.5 4.4-2.8 7.2H394zm51 2.4c0 5-1.3 9.5-4 13.7s-6.9 6.2-12.7 6.2c-6 0-10.3-2.2-12.7-6.7-.1.4-.2 1.4-.4 2.9s-.3 2.5-.4 2.9h-7.3c.3-1.7.6-3.5.8-5.3.3-1.8.4-3.7.4-5.5V22.3h-6v-5.6H416v27c1.1-2.2 2.7-4.1 4.7-5.7 2-1.6 4.8-2.4 8.4-2.4 4.6 0 8.4 1.6 11.4 4.7 3 3.2 4.5 7.6 4.5 13.4zm-7.7.6c0-4.2-1-7.4-3-9.5-2-2.2-4.4-3.3-7.4-3.3-3.4 0-6 1.2-8 3.7-1.9 2.4-2.9 5-3 7.7V57c0 3 1 5.6 3 7.7s4.5 3.1 7.6 3.1c3.6 0 6.3-1.3 8.1-3.9 1.8-2.7 2.7-5.9 2.7-9.6zm69.2 18.5h-13.2v-7.2c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2 5.7 0 9.8 2.2 12.3 6.5V22.3h-8.6v-5.6h15.8v50.6h6v5.5zM493.2 56v-4.4c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm53.1-1.4c0 5.6-1.8 10.2-5.3 13.7s-8.2 5.3-13.9 5.3-10.1-1.7-13.4-5.1c-3.3-3.4-5-7.9-5-13.5 0-5.3 1.6-9.9 4.7-13.7 3.2-3.8 7.9-5.7 14.2-5.7s11 1.9 14.1 5.7c3 3.7 4.6 8.1 4.6 13.3zm-7.7-.2c0-4-1-7.2-3-9.5s-4.8-3.5-8.2-3.5c-3.6 0-6.4 1.2-8.3 3.7s-2.9 5.6-2.9 9.5c0 3.7.9 6.8 2.8 9.4 1.9 2.6 4.6 3.9 8.3 3.9 3.6 0 6.4-1.3 8.4-3.8 1.9-2.6 2.9-5.8 2.9-9.7zm45 5.8c-.4 3.2-1.9 6.3-4.4 9.1-2.5 2.9-6.4 4.3-11.8 4.3-5.2 0-9.4-1.6-12.6-4.8-3.2-3.2-4.8-7.7-4.8-13.7 0-5.5 1.6-10.1 4.7-13.9 3.2-3.8 7.6-5.7 13.2-5.7 2.3 0 4.6.3 6.7.8 2.2.5 4.2 1.5 6.2 2.9l1.5 9.5-5.9.7-1.3-6.1c-2.1-1.2-4.5-1.8-7.2-1.8-3.5 0-6.1 1.2-7.7 3.7-1.7 2.5-2.5 5.7-2.5 9.6 0 4.1.9 7.3 2.7 9.5 1.8 2.3 4.4 3.4 7.8 3.4 5.2 0 8.2-2.9 9.2-8.8l6.2 1.3zm34.7 1.9c0 3.6-1.5 6.5-4.6 8.5s-7 3-11.7 3c-5.7 0-10.6-1.2-14.6-3.6l1.2-8.8 5.7.6-.2 4.7c1.1.5 2.3.9 3.6 1.1s2.6.3 3.9.3c2.4 0 4.5-.4 6.5-1.3 1.9-.9 2.9-2.2 2.9-4.1 0-1.8-.8-3.1-2.3-3.8s-3.5-1.3-5.8-1.7-4.6-.9-6.9-1.4c-2.3-.6-4.2-1.6-5.7-2.9-1.6-1.4-2.3-3.5-2.3-6.3 0-4.1 1.5-6.9 4.6-8.5s6.4-2.4 9.9-2.4c2.6 0 5 .3 7.2.9 2.2.6 4.3 1.4 6.1 2.4l.8 8.8-5.8.7-.8-5.7c-2.3-1-4.7-1.6-7.2-1.6-2.1 0-3.7.4-5.1 1.1-1.3.8-2 2-2 3.8 0 1.7.8 2.9 2.3 3.6 1.5.7 3.4 1.2 5.7 1.6 2.2.4 4.5.8 6.7 1.4 2.2.6 4.1 1.6 5.7 3 1.4 1.6 2.2 3.7 2.2 6.6zM197.6 73.2h-17.1v-5.5h3.8V51.9c0-3.7-.7-6.3-2.1-7.9-1.4-1.6-3.3-2.3-5.7-2.3-3.2 0-5.6 1.1-7.2 3.4s-2.4 4.6-2.5 6.9v15.6h6v5.5h-17.1v-5.5h3.8V51.9c0-3.8-.7-6.4-2.1-7.9-1.4-1.5-3.3-2.3-5.6-2.3-3.2 0-5.5 1.1-7.2 3.3-1.6 2.2-2.4 4.5-2.5 6.9v15.8h6.9v5.5h-20.2v-5.5h6V42.4h-6.1v-5.6h13.4v6.4c1.2-2.1 2.7-3.8 4.7-5.2 2-1.3 4.4-2 7.3-2s5.3.7 7.5 2.1c2.2 1.4 3.7 3.5 4.5 6.4 1.1-2.5 2.7-4.5 4.9-6.1s4.8-2.4 7.9-2.4c3.5 0 6.5 1.1 8.9 3.3s3.7 5.6 3.7 10.2v18.2h6.1v5.5zm42.5 0h-13.2V66c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2s9.8 2.2 12.3 6.5V22.7h-8.6v-5.6h15.8v50.6h6v5.5zm-13.3-16.8V52c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm61.5 16.8H269v-5.5h6V51.9c0-3.7-.7-6.3-2.2-7.9-1.4-1.6-3.4-2.3-5.7-2.3-3.1 0-5.6 1-7.4 3s-2.8 4.4-2.9 7v15.9h6v5.5h-19.3v-5.5h6V42.4h-6.2v-5.6h13.6V43c2.6-4.6 6.8-6.9 12.7-6.9 3.6 0 6.7 1.1 9.2 3.3s3.7 5.6 3.7 10.2v18.2h6v5.4h-.2z" class="logo-text"></path></svg></a><button title="Open main menu" type="button" class="button action has-icon main-menu-toggle" aria-haspopup="menu" aria-label="Open main menu" aria-expanded="false"><span class="button-wrap"><span class="icon icon-menu "></span><span class="visually-hidden">Open main menu</span></span></button></div><div class="top-navigation-main"><nav class="main-nav" aria-label="Main menu"><ul class="main-menu nojs"><li class="top-level-entry-container "><button type="button" id="references-button" class="top-level-entry menu-toggle" aria-controls="references-menu" aria-expanded="false">References</button><a href="/en-US/docs/Web" class="top-level-entry">References</a><ul id="references-menu" class="submenu references hidden inline-submenu-lg" aria-labelledby="references-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Web/HTML" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Structure of content on the web</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Web/CSS" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Code used to describe document style</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Web/JavaScript" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">General-purpose scripting language</p></div></a></li><li class="http-link-container "><a href="/en-US/docs/Web/HTTP" class="submenu-item "><div class="submenu-icon http"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP</div><p class="submenu-item-description">Protocol for transmitting web resources</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Web/API" class="submenu-item "><div class="submenu-icon apis"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web APIs</div><p class="submenu-item-description">Interfaces for building web applications</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Extensions</div><p class="submenu-item-description">Developing extensions for web browsers</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="guides-button" class="top-level-entry menu-toggle" aria-controls="guides-menu" aria-expanded="false">Guides</button><a href="/en-US/docs/Learn" class="top-level-entry">Guides</a><ul id="guides-menu" class="submenu guides hidden inline-submenu-lg" aria-labelledby="guides-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Learn" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Learn" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Learn/HTML" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Learn to structure web content with HTML</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Learn/CSS" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Learn to style content using CSS</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Learn/JavaScript" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">Learn to run scripts in the browser</p></div></a></li><li class=" "><a href="/en-US/docs/Web/Accessibility" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Accessibility</div><p class="submenu-item-description">Learn to make the web accessible to all</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="mdn-plus-button" class="top-level-entry menu-toggle" aria-controls="mdn-plus-menu" aria-expanded="false">Plus</button><a href="/en-US/plus" class="top-level-entry">Plus</a><ul id="mdn-plus-menu" class="submenu mdn-plus hidden inline-submenu-lg" aria-labelledby="mdn-plus-button"><li class=" "><a href="/en-US/plus" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview</div><p class="submenu-item-description">A customized MDN experience</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li><li class=" "><a href="/en-US/plus/updates" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Updates</div><p class="submenu-item-description">All browser compatibility updates at a glance</p></div></a></li><li class=" "><a href="/en-US/plus/docs/features/overview" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Documentation</div><p class="submenu-item-description">Learn how to use MDN Plus</p></div></a></li><li class=" "><a href="/en-US/plus/docs/faq" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">FAQ</div><p class="submenu-item-description">Frequently asked questions about MDN Plus</p></div></a></li></ul></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/curriculum/">Curriculum <sup class="new">New</sup></a></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/blog/">Blog</a></li><li class="top-level-entry-container "><button type="button" id="tools-button" class="top-level-entry menu-toggle" aria-controls="tools-menu" aria-expanded="false">Tools</button><ul id="tools-menu" class="submenu tools hidden inline-submenu-lg" aria-labelledby="tools-button"><li class=" "><a href="/en-US/play" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Playground</div><p class="submenu-item-description">Write, test and share your code</p></div></a></li><li class=" "><a href="/en-US/observatory" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP Observatory</div><p class="submenu-item-description">Scan a website for free</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li></ul></li></ul></nav><div class="header-search"><form action="/en-US/search" class="search-form search-widget" id="top-nav-search-form" role="search"><label id="top-nav-search-label" for="top-nav-search-input" class="visually-hidden">Search MDN</label><input aria-activedescendant="" aria-autocomplete="list" aria-controls="top-nav-search-menu" aria-expanded="false" aria-labelledby="top-nav-search-label" autoComplete="off" id="top-nav-search-input" role="combobox" type="search" class="search-input-field" name="q" placeholder="   " required="" value=""/><button type="button" class="button action has-icon clear-search-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear search input</span></span></button><button type="submit" class="button action has-icon search-button"><span class="button-wrap"><span class="icon icon-search "></span><span class="visually-hidden">Search</span></span></button><div id="top-nav-search-menu" role="listbox" aria-labelledby="top-nav-search-label"></div></form></div><div class="theme-switcher-menu"><button type="button" class="button action has-icon theme-switcher-menu small" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-theme-os-default "></span>Theme</span></button></div><ul class="auth-container"><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FMozilla%2FAdd-ons%2FWebExtensions%2Fmanifest.json%2Fcontent_security_policy" class="login-link" rel="nofollow">Log in</a></li><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FMozilla%2FAdd-ons%2FWebExtensions%2Fmanifest.json%2Fcontent_security_policy" target="_self" rel="nofollow" class="button primary mdn-plus-subscribe-link"><span class="button-wrap">Sign up for free</span></a></li></ul></div></div></header><div class="article-actions-container"><div class="container"><button type="button" class="button action has-icon sidebar-button" aria-label="Expand sidebar" aria-expanded="false" aria-controls="sidebar-quicklinks"><span class="button-wrap"><span class="icon icon-sidebar "></span></span></button><nav class="breadcrumbs-container" aria-label="Breadcrumb"><ol typeof="BreadcrumbList" vocab="https://schema.org/" aria-label="breadcrumbs"><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Mozilla" class="breadcrumb" property="item" typeof="WebPage"><span property="name">Mozilla</span></a><meta property="position" content="1"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Mozilla/Add-ons" class="breadcrumb" property="item" typeof="WebPage"><span property="name">Add-ons</span></a><meta property="position" content="2"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions" class="breadcrumb" property="item" typeof="WebPage"><span property="name">Browser extensions</span></a><meta property="position" content="3"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json" class="breadcrumb" property="item" typeof="WebPage"><span property="name">manifest.json</span></a><meta property="position" content="4"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy" class="breadcrumb-current-page" property="item" typeof="WebPage"><span property="name">content_security_policy</span></a><meta property="position" content="5"/></li></ol></nav><div class="article-actions"><button type="button" class="button action has-icon article-actions-toggle" aria-label="Article actions"><span class="button-wrap"><span class="icon icon-ellipses "></span><span class="article-actions-dialog-heading">Article Actions</span></span></button><ul class="article-actions-entries"><li class="article-actions-entry"><div class="languages-switcher-menu open-on-focus-within"><button id="languages-switcher-button" type="button" class="button action small has-icon languages-switcher-menu" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-language "></span>English (US)</span></button><div class="hidden"><ul class="submenu language-menu " aria-labelledby="language-menu-button"><li class=" "><form class="submenu-item locale-redirect-setting"><div class="group"><label class="switch"><input type="checkbox" name="locale-redirect"/><span class="slider"></span><span class="label">Remember language</span></label><a href="https://github.com/orgs/mdn/discussions/739" rel="external noopener noreferrer" target="_blank" title="Enable this setting to automatically switch to this language when it&#x27;s available. (Click to learn more.)"><span class="icon icon-question-mark "></span></a></div></form></li><li class=" "><a data-locale="de" href="/de/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy" class="button submenu-item"><span>Deutsch</span><span title="Diese Übersetzung ist Teil eines Experiments."><span class="icon icon-experimental "></span></span></a></li><li class=" "><a data-locale="fr" href="/fr/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy" class="button submenu-item"><span>Français</span></a></li><li class=" "><a data-locale="ja" href="/ja/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy" class="button submenu-item"><span>日本語</span></a></li><li class=" "><a data-locale="ru" href="/ru/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy" class="button submenu-item"><span>Русский</span></a></li></ul></div></div></li></ul></div></div></div></div><div class="main-wrapper"><div class="sidebar-container"><aside id="sidebar-quicklinks" class="sidebar" data-macro="AddonSidebar"><button type="button" class="button action backdrop" aria-label="Collapse sidebar"><span class="button-wrap"></span></button><nav aria-label="Related Topics" class="sidebar-inner"><header class="sidebar-actions"><section class="sidebar-filter-container"><div class="sidebar-filter "><label id="sidebar-filter-label" class="sidebar-filter-label" for="sidebar-filter-input"><span class="icon icon-filter"></span><span class="visually-hidden">Filter sidebar</span></label><input id="sidebar-filter-input" autoComplete="off" class="sidebar-filter-input-field false" type="text" placeholder="Filter" value=""/><button type="button" class="button action has-icon clear-sidebar-filter-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear filter input</span></span></button></div></section></header><div class="sidebar-inner-nav"><div class="in-nav-toc"><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#object-src_directive">object-src directive</a></li><li class="document-toc-item "><a class="document-toc-link" href="#manifest_v2_syntax">Manifest V2 syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#manifest_v3_syntax">Manifest V3 syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li></ul></section></div></div><div class="sidebar-body"> <ol> <li class="section"><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions">Browser extensions</a></li> <li> <details> <summary>Getting started</summary> <ol> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/What_are_WebExtensions">What are extensions?</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Your_first_WebExtension">Your first extension</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Your_second_WebExtension">Your second extension</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Anatomy_of_a_WebExtension">Anatomy of an extension</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Examples">Example extensions</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/What_next">What next?</a></li> </ol> </details> </li> <li> <details> <summary>Concepts</summary> <ol> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API">JavaScript APIs</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts">Content scripts</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Background_scripts">Background scripts</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Match_patterns">Match patterns</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Working_with_files">Work with files</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Internationalization">Internationalization</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy">Content Security Policy</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging">Native messaging</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Differences_between_API_implementations">Differences between API implementations</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Chrome_incompatibilities">Chrome incompatibilities</a></li> </ol> </details> </li> <li> <details> <summary>User interface</summary> <ol> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface">User interface</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Toolbar_button">Toolbar button</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Page_actions">Address bar button</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Sidebars">Sidebars</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Context_menu_items">Context menu items</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Options_pages">Options page</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Extension_pages">Extension pages</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Notifications">Notifications</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Omnibox">Address bar suggestions</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/devtools_panels">devtools panels</a></li> </ol> </details> </li> <li> <details> <summary>How to</summary> <ol> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Intercept_HTTP_requests">Intercept HTTP requests</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Modify_a_web_page">Modify a web page</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page">Insert external content</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Sharing_objects_with_page_scripts">Share objects with page scripts</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Add_a_button_to_the_toolbar">Add a button to the toolbar</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Implement_a_settings_page">Implement a settings page</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Working_with_the_Tabs_API">Work with the Tabs API</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Work_with_the_Bookmarks_API">Work with the Bookmarks API</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Work_with_the_Cookies_API">Work with the Cookies API</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Work_with_contextual_identities">Work with contextual identities</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Interact_with_the_clipboard">Interact with the clipboard</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Extending_the_developer_tools">Extend the developer tools</a></li> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Build_a_cross_browser_extension">Build a cross-browser extension</a></li> </ol> </details> </li> <li> <details> <summary>JavaScript APIs</summary> <ol><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Browser_support_for_JavaScript_APIs">Browser support for JavaScript APIs</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/action">action</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/alarms">alarms</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/bookmarks">bookmarks</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/browserAction">browserAction</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/browserSettings">browserSettings</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/browsingData">browsingData</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/captivePortal">captivePortal</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/clipboard">clipboard</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/commands">commands</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/contentScripts">contentScripts</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/contextualIdentities">contextualIdentities</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies">cookies</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/declarativeNetRequest">declarativeNetRequest</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/devtools">devtools</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/dns">dns</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/dom">dom</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/downloads">downloads</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/events">events</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/extension">extension</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/extensionTypes">extensionTypes</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/find">find</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/history">history</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/i18n">i18n</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/identity">identity</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/idle">idle</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/management">management</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/menus">menus</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/notifications">notifications</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/omnibox">omnibox</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/pageAction">pageAction</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/permissions">permissions</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/pkcs11">pkcs11</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/privacy">privacy</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/proxy">proxy</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime">runtime</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/scripting">scripting</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/search">search</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/sessions">sessions</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/sidebarAction">sidebarAction</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/storage">storage</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs">tabs</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/theme">theme</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/topSites">topSites</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/types">types</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/userScripts">userScripts</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webNavigation">webNavigation</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest">webRequest</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/API/windows">windows</a></li></ol> </details> </li> <li> <details open=""> <summary>Manifest keys</summary> <ol> <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json">manifest.json</a></li> </ol> <ol><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/action">action</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/author">author</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/background">background</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/browser_action">browser_action</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/browser_specific_settings">browser_specific_settings</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/chrome_settings_overrides">chrome_settings_overrides</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/chrome_url_overrides">chrome_url_overrides</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/commands">commands</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_scripts">content_scripts</a></li><li><em><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy" aria-current="page">content_security_policy</a></em></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/declarative_net_request">declarative_net_request</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/default_locale">default_locale</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/description">description</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/developer">developer</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/devtools_page">devtools_page</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/dictionaries">dictionaries</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/externally_connectable">externally_connectable</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/homepage_url">homepage_url</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/host_permissions">host_permissions</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/icons">icons</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/incognito">incognito</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/manifest_version">manifest_version</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/name">name</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/offline_enabled">offline_enabled</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/omnibox">omnibox</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/optional_host_permissions">optional_host_permissions</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/optional_permissions">optional_permissions</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/options_page">options_page</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/options_ui">options_ui</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/page_action">page_action</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions">permissions</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/protocol_handlers">protocol_handlers</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/short_name">short_name</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/sidebar_action">sidebar_action</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/storage">storage</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/theme">theme</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/theme_experiment">theme_experiment</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/user_scripts">user_scripts</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/version">version</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/version_name">version_name</a></li><li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/web_accessible_resources">web_accessible_resources</a></li></ol> </details> </li> <li> <details> <summary>Extension Workshop</summary> <ol> <li><a href="https://extensionworkshop.com/documentation/develop/">Develop</a></li> <li><a href="https://extensionworkshop.com/documentation/publish/">Publish</a></li> <li><a href="https://extensionworkshop.com/documentation/manage/">Manage</a></li> <li><a href="https://extensionworkshop.com/documentation/enterprise/">Enterprise</a></li> </ol> </details> </li> <li class="section"><a href="/en-US/docs/Mozilla/Add-ons/Contact_us">Contact us</a></li> <li> <details> <summary>Channels</summary> <ol> <li><a href="https://blog.mozilla.org/addons">Add-ons blog</a></li> <li><a href="https://discourse.mozilla.org/c/add-ons">Add-ons forum</a></li> <li><a href="https://chat.mozilla.org/#/room/%23addons:mozilla.org">Add-ons chat</a></li> </ol> </details> </li> </ol> </div></div><section class="place side"></section></nav></aside><div class="toc-container"><aside class="toc"><nav><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#object-src_directive">object-src directive</a></li><li class="document-toc-item "><a class="document-toc-link" href="#manifest_v2_syntax">Manifest V2 syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#manifest_v3_syntax">Manifest V3 syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li></ul></section></div></nav></aside><section class="place side"></section></div></div><main id="content" class="main-content "><article class="main-page-content" lang="en-US"><header><h1>content_security_policy</h1></header><div class="section-content"><figure class="table-container"><table class="fullwidth-table standard-table"> <tbody> <tr> <th scope="row">Type</th> <td><code>String</code></td> </tr> <tr> <th scope="row">Mandatory</th> <td>No</td> </tr> <tr> <th scope="row">Manifest version</th> <td>2 or higher</td> </tr> <tr> <th scope="row">Example</th> <td>Manifest V2: <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": "default-src 'self'"</code></pre></div>Manifest V3: <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": { "extension_pages": "default-src 'self'" }</code></pre></div> </td> </tr> </tbody> </table></figure> <p>Extensions have a content security policy (CSP) applied to them by default. The default policy restricts the sources from which extensions can load code (such as <a href="/en-US/docs/Web/HTML/Element/script">&lt;script&gt;</a> resources) and disallows potentially unsafe practices such as the use of <a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval"><code>eval()</code></a>. See <a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#default_content_security_policy">Default content security policy</a> to learn more about the implications of this.</p> <p>You can use the <code>"content_security_policy"</code> manifest key to loosen or tighten the default policy. This key is specified in the same way as the Content-Security-Policy HTTP header. See <a href="/en-US/docs/Web/HTTP/CSP">Using Content Security Policy</a> for a general description of CSP syntax.</p> <p>For example, you can use this key to:</p> <ul> <li>Restrict permitted sources for other types of content, such as images and stylesheets, using the appropriate <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy">policy directive</a>.</li> <li>Allow the extension to take advantage of <a href="/en-US/docs/WebAssembly">WebAssembly</a> by including the <code>'wasm-unsafe-eval'</code> source in the <code>script-src</code> directive.</li> <li>Loosen the default <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"><code>script-src</code></a> policies (Manifest V2 only): <ul> <li>Allow the extension to load scripts from outside its package by supplying their URL in the <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"><code>script-src</code></a> directive.</li> <li>Allow the extension to execute inline scripts by <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script">supplying the hash of the script in the <code>script-src</code> directive</a>.</li> <li>Allow the extension to use <code>eval()</code> and similar features by including <code>'unsafe-eval'</code> in the <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"><code>script-src</code></a> directive.</li> </ul> </li> </ul> <p>There are restrictions on the policy you can specify with this manifest key:</p> <ul> <li>The <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"><code>script-src</code></a> directive must include at least the <code>'self'</code> keyword and may only contain secure sources. The set of permitted secure sources differs between Manifest V2 and Manifest V3.</li> <li>The policy may include <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src"><code>default-src</code></a> alone (without <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"><code>script-src</code></a>) if its sources meet the requirement for the <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"><code>script-src</code></a> directive.</li> <li>The <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src"><code>object-src</code></a> keyword may be required, see <a href="#object-src_directive">object-src directive</a> for details.</li> <li>Directives that reference code – <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"><code>script-src</code></a>, <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem"><code>script-src-elem</code></a>, <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src"><code>worker-src</code></a>, and <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src"><code>default-src</code></a> (if used as a fallback) – share the same secure source requirement. There are no restrictions on CSP directives that cover non-script content, such as <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src"><code>img-src</code></a>.</li> </ul> <p> In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are <code>'none'</code>, <code>'self'</code>, and <code>'wasm-unsafe-eval'</code>. In Manifest V2, a source for a script directive is considered secure if it meets these criteria: </p> <ul> <li>Wildcard hosts are not permitted, such as <code>"script-src 'self' *"</code>.</li> <li>Remote sources must use <code>https:</code> schemes.</li> <li>Remote sources must not use wildcards for any domains in the <a href="https://publicsuffix.org/list/" class="external" target="_blank">public suffix list</a> (so <code>*.co.uk</code> and <code>*.blogspot.com</code> are not allowed, although <code>*.foo.blogspot.com</code> is permitted).</li> <li>All sources must specify a host.</li> <li>The only permitted schemes for sources are <code>blob:</code>, <code>filesystem:</code>, <code>moz-extension:</code>, <code>https:</code>, and <code>wss:</code>.</li> <li>The only permitted <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directive_syntax">keywords</a> are: <code>'none'</code>, <code>'self'</code>, <code>'unsafe-eval'</code>, and <code>'wasm-unsafe-eval'</code>.</li> </ul></div><section aria-labelledby="object-src_directive"><h2 id="object-src_directive"><a href="#object-src_directive">object-src directive</a></h2><div class="section-content"><p>The <code><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src"><code>object-src</code></a></code> directive may be required in some browsers that support obsolete <a href="/en-US/docs/Glossary/Plugin">plugins</a> and should be set to a secure source such as <code>'none'</code> if needed. This may be necessary for browsers up until 2022.</p> <ul> <li>In Firefox, <code>"object-src"</code> it optional from Firefox 106. In earlier versions, if <code>"object-src"</code> isn't specified, <code>"content_security_policy"</code> is ignored and the default CSP used.</li> <li>In Chrome, <code>"object-src"</code> is required. If it's missing or deemed insecure, the default (<code>"object-src 'self'"</code>) is used and a warning message logged.</li> <li>In Safari, there is no requirement for <code>"object-src"</code>.</li> </ul> <p>See W3C WebExtensions Community Group <a href="https://github.com/w3c/webextensions/issues/204" class="external" target="_blank">issue 204</a>, Remove object-src from the CSP, for more information.</p></div></section><section aria-labelledby="manifest_v2_syntax"><h2 id="manifest_v2_syntax"><a href="#manifest_v2_syntax">Manifest V2 syntax</a></h2><div class="section-content"><p>In Manifest V2, there is one content security policy specified against the key like this:</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": "default-src 'self'" </code></pre></div></div></section><section aria-labelledby="manifest_v3_syntax"><h2 id="manifest_v3_syntax"><a href="#manifest_v3_syntax">Manifest V3 syntax</a></h2><div class="section-content"><p>In Manifest V3, the <code>content_security_policy</code> key is an object that may have any of these properties, all optional:</p> <figure class="table-container"><table class="fullwidth-table standard-table"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td><code>extension_pages</code></td> <td><code>String</code></td> <td>The content security policy used for extension pages. The <code>script-src</code> and <code>worker-src</code> directives may only have these values: <ul> <li><code>'self'</code></li> <li><code>'none'</code></li> <li><code>'wasm-unsafe-eval'</code></li> </ul> </td> </tr> <tr> <td><code>sandbox</code></td> <td><code>String</code></td> <td>The content security policy used for sandboxed extension pages.</td> </tr> </tbody> </table></figure></div></section><section aria-labelledby="examples"><h2 id="examples"><a href="#examples">Examples</a></h2><div class="section-content"></div></section><section aria-labelledby="valid_examples"><h3 id="valid_examples"><a href="#valid_examples">Valid examples</a></h3><div class="section-content"><div class="notecard note"> <p> <strong>Note:</strong> Valid examples demonstrate the correct use of keys in CSP. However, extensions with 'unsafe-eval', remote script, blob, or remote sources in their CSP are not allowed for Firefox extensions per the <a href="https://extensionworkshop.com/documentation/publish/add-on-policies/" class="external" target="_blank">add-on policies</a> and due to significant security issues. </p> </div> <div class="notecard note"> <p><strong>Note:</strong> Some examples include the <code><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src"><code>object-src</code></a></code> directive, which provides backward compatibility for older browser versions. See <a href="#object-src_directive">object-src directive</a> for more details.</p> </div> <p>Require that all types of content should be packaged with the extension:</p> <ul> <li> <p>Manifest V2</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": "default-src 'self'" </code></pre></div> </li> <li> <p>Manifest V3</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": { "extension_pages": "default-src 'self'" } </code></pre></div> </li> </ul> <p>Allow remote scripts from "<a href="https://example.com" class="external" target="_blank">https://example.com</a>":</p> <ul> <li> <p>Manifest V2</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": "script-src 'self' https://example.com; object-src 'self'" </code></pre></div> </li> <li> <p>Manifest V3 does not allow remote URLs in <code>script-src</code> of <code>extension_pages</code>.</p> </li> </ul> <p>Allow remote scripts from any subdomain of "jquery.com":</p> <ul> <li> <p>Manifest V2</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'" </code></pre></div> </li> <li> <p>Manifest V3 does not allow remote URLs in <code>script-src</code> of <code>extension_pages</code>.</p> </li> </ul> <p>Allow <a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#eval%28%29_and_friends"><code>eval()</code> and friends</a>:</p> <ul> <li> <p>Manifest V2</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';" </code></pre></div> </li> <li> <p>Manifest V3 does not allow <code>'unsafe-eval'</code> in <code>script-src</code>.</p> </li> </ul> <p>Allow the inline script: <code>"&lt;script&gt;alert('Hello, world.');&lt;/script&gt;"</code>:</p> <ul> <li> <p>Manifest V2</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'" </code></pre></div> </li> <li> <p>Manifest V3 does not allow CSP hashes in <code>script-src</code> of <code>extension_pages</code>.</p> </li> </ul> <p>Keep the rest of the policy, but also require that images should be packaged with the extension:</p> <ul> <li> <p>Manifest V2</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": "script-src 'self'; object-src 'self'; img-src 'self'" </code></pre></div> </li> <li> <p>Manifest V3</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": { "extension_pages": "script-src 'self'; img-src 'self'" } </code></pre></div> </li> </ul> <p>Enable the use of <a href="/en-US/docs/WebAssembly">WebAssembly</a>:</p> <ul> <li> <p>Manifest V2</p> <p>For backward compatibility, Manifest V2 extensions in Firefox can use WebAssembly without the use of <code>'wasm-unsafe-eval'</code>. However, this behavior isn't guaranteed. See <a href="https://bugzil.la/1770909" class="external" target="_blank">Firefox bug 1770909</a>. Extensions using WebAssembly are therefore encouraged to declare <code>'wasm-unsafe-eval'</code> in their CSP. See <a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#webassembly">WebAssembly</a> on the Content Security Policy page for more information.</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": "script-src 'self' 'wasm-unsafe-eval'" </code></pre></div> </li> <li> <p>Manifest V3</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json notranslate"><code>"content_security_policy": { "extension_pages": "script-src 'self' 'wasm-unsafe-eval'" } </code></pre></div> </li> </ul></div></section><section aria-labelledby="invalid_examples"><h3 id="invalid_examples"><a href="#invalid_examples">Invalid examples</a></h3><div class="section-content"><p>Policy that omits the <code>"object-src"</code> directive:</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json example-bad notranslate"><code>"content_security_policy": "script-src 'self' https://*.jquery.com;" </code></pre></div> <p>However, this is only invalid in browsers that support obsolete <a href="/en-US/docs/Glossary/Plugin">plugins</a>. See <a href="#object-src_directive">object-src directive</a> for more details..</p> <p>Policy that omits the <code>"self"</code> keyword in the <code>"script-src"</code> directive:</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json example-bad notranslate"><code>"content_security_policy": "script-src https://*.jquery.com; object-src 'self'" </code></pre></div> <p>Scheme for a remote source is not <code>https</code>:</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json example-bad notranslate"><code>"content_security_policy": "script-src 'self' http://code.jquery.com; object-src 'self'" </code></pre></div> <p>Wildcard is used with a generic domain:</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json example-bad notranslate"><code>"content_security_policy": "script-src 'self' https://*.blogspot.com; object-src 'self'" </code></pre></div> <p>Source specifies a scheme but no host:</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json example-bad notranslate"><code>"content_security_policy": "script-src 'self' https:; object-src 'self'" </code></pre></div> <p>Directive includes the unsupported keyword <code>'unsafe-inline'</code>:</p> <div class="code-example"><div class="example-header"><span class="language-name">json</span></div><pre class="brush: json example-bad notranslate"><code>"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'" </code></pre></div></div></section><h2 id="browser_compatibility"><a href="#browser_compatibility">Browser compatibility</a></h2><p>BCD tables only load in the browser<noscript> <!-- -->with JavaScript enabled. Enable JavaScript to view data.</noscript></p></article><aside class="article-footer"><div class="article-footer-inner"><div class="svg-container"><svg xmlns="http://www.w3.org/2000/svg" width="162" height="162" viewBox="0 0 162 162" fill="none" role="none"><mask id="b" fill="#fff"><path d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z"></path></mask><path stroke="url(#a)" stroke-dasharray="6, 6" stroke-width="2" d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z" mask="url(#b)" style="stroke:url(#a)" transform="translate(-63.992 -25.587)"></path><ellipse cx="8.066" cy="111.597" fill="var(--background-tertiary)" rx="53.677" ry="53.699" transform="matrix(.71707 -.697 .7243 .6895 0 0)"></ellipse><g clip-path="url(#c)" transform="translate(-63.992 -25.587)"><path fill="#9abff5" d="m144.256 137.379 32.906 12.434a4.41 4.41 0 0 1 2.559 5.667l-9.326 24.679a4.41 4.41 0 0 1-5.667 2.559l-8.226-3.108-2.332 6.17c-.466 1.233-.375 1.883-1.609 1.417l-2.253-.527c-.411-.155-.95-.594-1.206-1.161l-4.734-10.484-12.545-4.741a4.41 4.41 0 0 1-2.559-5.667l9.325-24.679a4.41 4.41 0 0 1 5.667-2.559m9.961 29.617 8.227 3.108 3.264-8.638-.498-6.768-4.113-1.555.548 7.258-4.319-1.632zm-12.339-4.663 8.226 3.108 3.264-8.637-.498-6.769-4.113-1.554.548 7.257-4.319-1.632z"></path></g><g clip-path="url(#d)" transform="translate(-63.992 -25.587)"><path fill="#81b0f3" d="M135.35 60.136 86.67 41.654c-3.346-1.27-7.124.428-8.394 3.775L64.414 81.938c-1.27 3.347.428 7.125 3.774 8.395l12.17 4.62-3.465 9.128c-.693 1.826-1.432 2.457.394 3.15l3.014 1.625c.609.231 1.637.274 2.477-.104l15.53-6.983 18.56 7.047c3.346 1.27 7.124-.428 8.395-3.775l13.862-36.51c1.27-3.346-.428-7.124-3.775-8.395M95.261 83.207l-12.17-4.62 4.852-12.779 7.19-7.017 6.085 2.31-7.725 7.51 6.389 2.426zm18.255 6.93-12.17-4.62 4.852-12.778 7.189-7.017 6.085 2.31-7.725 7.51 6.39 2.426z"></path></g><defs><clipPath id="c"><path fill="#fff" d="m198.638 146.586-65.056-24.583-24.583 65.057 65.056 24.582z"></path></clipPath><clipPath id="d"><path fill="#fff" d="m66.438 14.055 96.242 36.54-36.54 96.243-96.243-36.54z"></path></clipPath><linearGradient id="a" x1="97.203" x2="199.995" y1="47.04" y2="152.793" gradientUnits="userSpaceOnUse"><stop stop-color="#086DFC"></stop><stop offset="0.246" stop-color="#2C81FA"></stop><stop offset="0.516" stop-color="#5497F8"></stop><stop offset="0.821" stop-color="#80B0F6"></stop><stop offset="1" stop-color="#9ABFF5"></stop></linearGradient></defs></svg></div><h2>Help improve MDN</h2><fieldset class="feedback"><label>Was this page helpful to you?</label><div class="button-container"><button type="button" class="button primary has-icon yes"><span class="button-wrap"><span class="icon icon-thumbs-up "></span>Yes</span></button><button type="button" class="button primary has-icon no"><span class="button-wrap"><span class="icon icon-thumbs-down "></span>No</span></button></div></fieldset><a class="contribute" href="https://github.com/mdn/content/blob/main/CONTRIBUTING.md" title="This will take you to our contribution guidelines on GitHub." target="_blank" rel="noopener noreferrer">Learn how to contribute</a>.<p class="last-modified-date">This page was last modified on<!-- --> <time dateTime="2024-11-19T04:36:44.000Z">Nov 19, 2024</time> by<!-- --> <a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy/contributors.txt" rel="nofollow">MDN contributors</a>.</p><div id="on-github" class="on-github"><a href="https://github.com/mdn/content/blob/main/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md?plain=1" title="Folder: en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy (Opens in a new tab)" target="_blank" rel="noopener noreferrer">View this page on GitHub</a> <!-- -->•<!-- --> <a href="https://github.com/mdn/content/issues/new?template=page-report.yml&amp;mdn-url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FMozilla%2FAdd-ons%2FWebExtensions%2Fmanifest.json%2Fcontent_security_policy&amp;metadata=%3C%21--+Do+not+make+changes+below+this+line+--%3E%0A%3Cdetails%3E%0A%3Csummary%3EPage+report+details%3C%2Fsummary%3E%0A%0A*+Folder%3A+%60en-us%2Fmozilla%2Fadd-ons%2Fwebextensions%2Fmanifest.json%2Fcontent_security_policy%60%0A*+MDN+URL%3A+https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FMozilla%2FAdd-ons%2FWebExtensions%2Fmanifest.json%2Fcontent_security_policy%0A*+GitHub+URL%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fblob%2Fmain%2Ffiles%2Fen-us%2Fmozilla%2Fadd-ons%2Fwebextensions%2Fmanifest.json%2Fcontent_security_policy%2Findex.md%0A*+Last+commit%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fcommit%2F6368e2b112a343fa00ae1a8cf51ceb0b0b845834%0A*+Document+last+modified%3A+2024-11-19T04%3A36%3A44.000Z%0A%0A%3C%2Fdetails%3E" title="This will take you to GitHub to file a new issue." target="_blank" rel="noopener noreferrer">Report a problem with this content</a></div></div></aside></main></div></div><footer id="nav-footer" class="page-footer"><div class="page-footer-grid"><div class="page-footer-logo-col"><a href="/" class="mdn-footer-logo" aria-label="MDN homepage"><svg width="48" height="17" viewBox="0 0 48 17" fill="none" xmlns="http://www.w3.org/2000/svg"><title id="mdn-footer-logo-svg">MDN logo</title><path d="M20.04 16.512H15.504V10.416C15.504 9.488 15.344 8.824 15.024 8.424C14.72 8.024 14.264 7.824 13.656 7.824C12.92 7.824 12.384 8.064 12.048 8.544C11.728 9.024 11.568 9.64 11.568 10.392V14.184H13.008V16.512H8.472V10.416C8.472 9.488 8.312 8.824 7.992 8.424C7.688 8.024 7.232 7.824 6.624 7.824C5.872 7.824 5.336 8.064 5.016 8.544C4.696 9.024 4.536 9.64 4.536 10.392V14.184H6.6V16.512H0V14.184H1.44V8.04H0.024V5.688H4.536V7.32C5.224 6.088 6.32 5.472 7.824 5.472C8.608 5.472 9.328 5.664 9.984 6.048C10.64 6.432 11.096 7.016 11.352 7.8C11.992 6.248 13.168 5.472 14.88 5.472C15.856 5.472 16.72 5.776 17.472 6.384C18.224 6.992 18.6 7.936 18.6 9.216V14.184H20.04V16.512Z" fill="currentColor"></path><path d="M33.6714 16.512H29.1354V14.496C28.8314 15.12 28.3834 15.656 27.7914 16.104C27.1994 16.536 26.4154 16.752 25.4394 16.752C24.0154 16.752 22.8954 16.264 22.0794 15.288C21.2634 14.312 20.8554 12.984 20.8554 11.304C20.8554 9.688 21.2554 8.312 22.0554 7.176C22.8554 6.04 24.0634 5.472 25.6794 5.472C26.5594 5.472 27.2794 5.648 27.8394 6C28.3994 6.352 28.8314 6.8 29.1354 7.344V2.352H26.9754V0H32.2314V14.184H33.6714V16.512ZM29.1354 11.04V10.776C29.1354 9.88 28.8954 9.184 28.4154 8.688C27.9514 8.176 27.3674 7.92 26.6634 7.92C25.9754 7.92 25.3674 8.176 24.8394 8.688C24.3274 9.2 24.0714 10.008 24.0714 11.112C24.0714 12.152 24.3114 12.944 24.7914 13.488C25.2714 14.032 25.8394 14.304 26.4954 14.304C27.3114 14.304 27.9514 13.96 28.4154 13.272C28.8954 12.584 29.1354 11.84 29.1354 11.04Z" fill="currentColor"></path><path d="M47.9589 16.512H41.9829V14.184H43.4229V10.416C43.4229 9.488 43.2629 8.824 42.9429 8.424C42.6389 8.024 42.1829 7.824 41.5749 7.824C40.8389 7.824 40.2709 8.056 39.8709 8.52C39.4709 8.968 39.2629 9.56 39.2469 10.296V14.184H40.6869V16.512H34.7109V14.184H36.1509V8.04H34.5909V5.688H39.2469V7.344C39.9669 6.096 41.1269 5.472 42.7269 5.472C43.7509 5.472 44.6389 5.776 45.3909 6.384C46.1429 6.992 46.5189 7.936 46.5189 9.216V14.184H47.9589V16.512Z" fill="currentColor"></path></svg></a><p>Your blueprint for a better internet.</p><ul class="social-icons"><li><a href="https://mozilla.social/@mdn" target="_blank" rel="me noopener noreferrer"><span class="icon icon-mastodon"></span><span class="visually-hidden">MDN on Mastodon</span></a></li><li><a href="https://twitter.com/mozdevnet" target="_blank" rel="noopener noreferrer"><span class="icon icon-twitter-x"></span><span class="visually-hidden">MDN on X (formerly Twitter)</span></a></li><li><a href="https://github.com/mdn/" target="_blank" rel="noopener noreferrer"><span class="icon icon-github-mark-small"></span><span class="visually-hidden">MDN on GitHub</span></a></li><li><a href="/en-US/blog/rss.xml" target="_blank"><span class="icon icon-feed"></span><span class="visually-hidden">MDN Blog RSS Feed</span></a></li></ul></div><div class="page-footer-nav-col-1"><h2 class="footer-nav-heading">MDN</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a href="/en-US/about">About</a></li><li class="footer-nav-item"><a href="/en-US/blog/">Blog</a></li><li class="footer-nav-item"><a href="https://www.mozilla.org/en-US/careers/listings/?team=ProdOps" target="_blank" rel="noopener noreferrer">Careers</a></li><li class="footer-nav-item"><a href="/en-US/advertising">Advertise with us</a></li></ul></div><div class="page-footer-nav-col-2"><h2 class="footer-nav-heading">Support</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="https://support.mozilla.org/products/mdn-plus">Product help</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/MDN/Community/Issues">Report an issue</a></li></ul></div><div class="page-footer-nav-col-3"><h2 class="footer-nav-heading">Our communities</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/community">MDN Community</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="https://discourse.mozilla.org/c/mdn/236" target="_blank" rel="noopener noreferrer">MDN Forum</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/discord" target="_blank" rel="noopener noreferrer">MDN Chat</a></li></ul></div><div class="page-footer-nav-col-4"><h2 class="footer-nav-heading">Developers</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Web">Web Technologies</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Learn">Learn Web Development</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/plus">MDN Plus</a></li><li class="footer-nav-item"><a href="https://hacks.mozilla.org/" target="_blank" rel="noopener noreferrer">Hacks Blog</a></li></ul></div><div class="page-footer-moz"><a href="https://www.mozilla.org/" class="footer-moz-logo-link" target="_blank" rel="noopener noreferrer"><svg width="112" height="32" fill="none" xmlns="http://www.w3.org/2000/svg"><title id="mozilla-footer-logo-svg">Mozilla logo</title><path d="M41.753 14.218c-2.048 0-3.324 1.522-3.324 4.157 0 2.423 1.119 4.286 3.29 4.286 2.082 0 3.447-1.678 3.447-4.347 0-2.826-1.522-4.096-3.413-4.096Zm54.89 7.044c0 .901.437 1.618 1.645 1.618 1.427 0 2.949-1.024 3.044-3.352-.649-.095-1.365-.185-2.02-.185-1.426-.005-2.668.397-2.668 1.92Z" fill="currentColor"></path><path d="M0 0v32h111.908V0H0Zm32.56 25.426h-5.87v-7.884c0-2.423-.806-3.352-2.39-3.352-1.924 0-2.702 1.365-2.702 3.324v4.868h1.864v3.044h-5.864v-7.884c0-2.423-.806-3.352-2.39-3.352-1.924 0-2.702 1.365-2.702 3.324v4.868h2.669v3.044H6.642v-3.044h1.863v-7.918H6.642V11.42h5.864v2.11c.839-1.489 2.3-2.39 4.252-2.39 2.02 0 3.878.963 4.566 3.01.778-1.862 2.361-3.01 4.566-3.01 2.512 0 4.812 1.522 4.812 4.84v6.402h1.863v3.044h-.005Zm9.036.307c-4.314 0-7.296-2.635-7.296-7.106 0-4.096 2.484-7.481 7.514-7.481s7.481 3.38 7.481 7.29c0 4.472-3.228 7.297-7.699 7.297Zm22.578-.307H51.942l-.403-2.11 7.7-8.846h-4.376l-.621 2.17-2.888-.313.498-4.907h12.294l.313 2.11-7.767 8.852h4.533l.654-2.172 3.167.308-.872 4.908Zm7.99 0h-4.191v-5.03h4.19v5.03Zm0-8.976h-4.191v-5.03h4.19v5.03Zm2.618 8.976 6.054-21.358h3.945l-6.054 21.358h-3.945Zm8.136 0 6.048-21.358h3.945l-6.054 21.358h-3.939Zm21.486.307c-1.863 0-2.887-1.085-3.072-2.792-.805 1.427-2.232 2.792-4.498 2.792-2.02 0-4.314-1.085-4.314-4.006 0-3.447 3.323-4.253 6.518-4.253.778 0 1.584.034 2.3.124v-.465c0-1.427-.034-3.133-2.3-3.133-.84 0-1.488.061-2.143.402l-.453 1.578-3.195-.34.549-3.224c2.45-.996 3.692-1.27 5.992-1.27 3.01 0 5.556 1.55 5.556 4.75v6.083c0 .805.314 1.085.963 1.085.184 0 .375-.034.587-.095l.034 2.11a5.432 5.432 0 0 1-2.524.654Z" fill="currentColor"></path></svg></a><ul class="footer-moz-list"><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Website Privacy Notice</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/#cookies" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Cookies</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/legal/terms/mozilla" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Legal</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/governance/policies/participation/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Community Participation Guidelines</a></li></ul></div><div class="page-footer-legal"><p id="license" class="page-footer-legal-text">Visit<!-- --> <a href="https://www.mozilla.org" target="_blank" rel="noopener noreferrer">Mozilla Corporation’s</a> <!-- -->not-for-profit parent, the<!-- --> <a target="_blank" rel="noopener noreferrer" href="https://foundation.mozilla.org/">Mozilla Foundation</a>.<br/>Portions of this content are ©1998–<!-- -->2024<!-- --> by individual mozilla.org contributors. Content available under<!-- --> <a href="/en-US/docs/MDN/Writing_guidelines/Attrib_copyright_license">a Creative Commons license</a>.</p></div></div></footer></div><script type="application/json" id="hydration">{"url":"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy","doc":{"isMarkdown":true,"isTranslated":false,"isActive":true,"flaws":{},"title":"content_security_policy","mdn_url":"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy","locale":"en-US","native":"English (US)","browserCompat":["webextensions.manifest.content_security_policy"],"sidebarHTML":"\n <ol>\n <li class=\"section\"><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions\">Browser extensions</a></li>\n <li>\n <details>\n <summary>Getting started</summary>\n <ol>\n <li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/What_are_WebExtensions\">What are extensions?</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Your_first_WebExtension\">Your first extension</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Your_second_WebExtension\">Your second extension</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Anatomy_of_a_WebExtension\">Anatomy of an extension</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Examples\">Example extensions</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/What_next\">What next?</a></li>\n </ol>\n </details>\n </li>\n <li>\n <details>\n <summary>Concepts</summary>\n <ol>\n <li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API\">JavaScript APIs</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts\">Content scripts</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Background_scripts\">Background scripts</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Match_patterns\">Match patterns</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Working_with_files\">Work with files</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Internationalization\">Internationalization</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy\">Content Security Policy</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging\">Native messaging</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Differences_between_API_implementations\">Differences between API implementations</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Chrome_incompatibilities\">Chrome incompatibilities</a></li>\n </ol>\n </details>\n </li>\n <li>\n <details>\n <summary>User interface</summary>\n <ol>\n <li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface\">User interface</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Toolbar_button\">Toolbar button</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Page_actions\">Address bar button</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Sidebars\">Sidebars</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Context_menu_items\">Context menu items</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Options_pages\">Options page</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Extension_pages\">Extension pages</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Notifications\">Notifications</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Omnibox\">Address bar suggestions</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/devtools_panels\">devtools panels</a></li>\n </ol>\n </details>\n </li>\n <li>\n <details>\n <summary>How to</summary>\n <ol>\n <li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Intercept_HTTP_requests\">Intercept HTTP requests</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Modify_a_web_page\">Modify a web page</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page\">Insert external content</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Sharing_objects_with_page_scripts\">Share objects with page scripts</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Add_a_button_to_the_toolbar\">Add a button to the toolbar</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Implement_a_settings_page\">Implement a settings page</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Working_with_the_Tabs_API\">Work with the Tabs API</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Work_with_the_Bookmarks_API\">Work with the Bookmarks API</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Work_with_the_Cookies_API\">Work with the Cookies API</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Work_with_contextual_identities\">Work with contextual identities</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Interact_with_the_clipboard\">Interact with the clipboard</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Extending_the_developer_tools\">Extend the developer tools</a></li>\n<li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Build_a_cross_browser_extension\">Build a cross-browser extension</a></li>\n </ol>\n </details>\n </li>\n <li>\n <details>\n <summary>JavaScript APIs</summary>\n <ol><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Browser_support_for_JavaScript_APIs\">Browser support for JavaScript APIs</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/action\">action</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/alarms\">alarms</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/bookmarks\">bookmarks</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/browserAction\">browserAction</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/browserSettings\">browserSettings</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/browsingData\">browsingData</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/captivePortal\">captivePortal</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/clipboard\">clipboard</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/commands\">commands</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/contentScripts\">contentScripts</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/contextualIdentities\">contextualIdentities</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies\">cookies</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/declarativeNetRequest\">declarativeNetRequest</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/devtools\">devtools</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/dns\">dns</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/dom\">dom</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/downloads\">downloads</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/events\">events</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/extension\">extension</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/extensionTypes\">extensionTypes</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/find\">find</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/history\">history</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/i18n\">i18n</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/identity\">identity</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/idle\">idle</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/management\">management</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/menus\">menus</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/notifications\">notifications</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/omnibox\">omnibox</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/pageAction\">pageAction</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/permissions\">permissions</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/pkcs11\">pkcs11</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/privacy\">privacy</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/proxy\">proxy</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime\">runtime</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/scripting\">scripting</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/search\">search</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/sessions\">sessions</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/sidebarAction\">sidebarAction</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/storage\">storage</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs\">tabs</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/theme\">theme</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/topSites\">topSites</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/types\">types</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/userScripts\">userScripts</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webNavigation\">webNavigation</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest\">webRequest</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/API/windows\">windows</a></li></ol>\n </details>\n </li>\n <li>\n <details open=\"\">\n <summary>Manifest keys</summary>\n <ol>\n <li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json\">manifest.json</a></li>\n </ol>\n <ol><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/action\">action</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/author\">author</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/background\">background</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/browser_action\">browser_action</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/browser_specific_settings\">browser_specific_settings</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/chrome_settings_overrides\">chrome_settings_overrides</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/chrome_url_overrides\">chrome_url_overrides</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/commands\">commands</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_scripts\">content_scripts</a></li><li><em><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy\" aria-current=\"page\">content_security_policy</a></em></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/declarative_net_request\">declarative_net_request</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/default_locale\">default_locale</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/description\">description</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/developer\">developer</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/devtools_page\">devtools_page</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/dictionaries\">dictionaries</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/externally_connectable\">externally_connectable</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/homepage_url\">homepage_url</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/host_permissions\">host_permissions</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/icons\">icons</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/incognito\">incognito</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/manifest_version\">manifest_version</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/name\">name</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/offline_enabled\">offline_enabled</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/omnibox\">omnibox</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/optional_host_permissions\">optional_host_permissions</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/optional_permissions\">optional_permissions</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/options_page\">options_page</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/options_ui\">options_ui</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/page_action\">page_action</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions\">permissions</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/protocol_handlers\">protocol_handlers</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/short_name\">short_name</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/sidebar_action\">sidebar_action</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/storage\">storage</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/theme\">theme</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/theme_experiment\">theme_experiment</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/user_scripts\">user_scripts</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/version\">version</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/version_name\">version_name</a></li><li><a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/web_accessible_resources\">web_accessible_resources</a></li></ol>\n </details>\n </li>\n <li>\n <details>\n <summary>Extension Workshop</summary>\n <ol>\n <li><a href=\"https://extensionworkshop.com/documentation/develop/\">Develop</a></li>\n <li><a href=\"https://extensionworkshop.com/documentation/publish/\">Publish</a></li>\n <li><a href=\"https://extensionworkshop.com/documentation/manage/\">Manage</a></li>\n <li><a href=\"https://extensionworkshop.com/documentation/enterprise/\">Enterprise</a></li>\n </ol>\n </details>\n </li>\n <li class=\"section\"><a href=\"/en-US/docs/Mozilla/Add-ons/Contact_us\">Contact us</a></li>\n <li>\n <details>\n <summary>Channels</summary>\n <ol>\n <li><a href=\"https://blog.mozilla.org/addons\">Add-ons blog</a></li>\n <li><a href=\"https://discourse.mozilla.org/c/add-ons\">Add-ons forum</a></li>\n <li><a href=\"https://chat.mozilla.org/#/room/%23addons:mozilla.org\">Add-ons chat</a></li>\n </ol>\n </details>\n </li>\n </ol>\n","sidebarMacro":"AddonSidebar","body":[{"type":"prose","value":{"id":null,"title":null,"isH3":false,"content":"<figure class=\"table-container\"><table class=\"fullwidth-table standard-table\">\n <tbody>\n <tr>\n <th scope=\"row\">Type</th>\n <td><code>String</code></td>\n </tr>\n <tr>\n <th scope=\"row\">Mandatory</th>\n <td>No</td>\n </tr>\n <tr>\n <th scope=\"row\">Manifest version</th>\n <td>2 or higher</td>\n </tr>\n <tr>\n <th scope=\"row\">Example</th>\n <td>Manifest V2:\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": \"default-src 'self'\"</code></pre></div>Manifest V3:\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": {\n \"extension_pages\": \"default-src 'self'\"\n}</code></pre></div>\n </td>\n </tr>\n </tbody>\n</table></figure>\n<p>Extensions have a content security policy (CSP) applied to them by default. The default policy restricts the sources from which extensions can load code (such as <a href=\"/en-US/docs/Web/HTML/Element/script\">&lt;script&gt;</a> resources) and disallows potentially unsafe practices such as the use of <a href=\"/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval\"><code>eval()</code></a>. See <a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#default_content_security_policy\">Default content security policy</a> to learn more about the implications of this.</p>\n<p>You can use the <code>\"content_security_policy\"</code> manifest key to loosen or tighten the default policy. This key is specified in the same way as the Content-Security-Policy HTTP header. See <a href=\"/en-US/docs/Web/HTTP/CSP\">Using Content Security Policy</a> for a general description of CSP syntax.</p>\n<p>For example, you can use this key to:</p>\n<ul>\n <li>Restrict permitted sources for other types of content, such as images and stylesheets, using the appropriate <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\">policy directive</a>.</li>\n <li>Allow the extension to take advantage of <a href=\"/en-US/docs/WebAssembly\">WebAssembly</a> by including the <code>'wasm-unsafe-eval'</code> source in the <code>script-src</code> directive.</li>\n <li>Loosen the default <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>script-src</code></a> policies (Manifest V2 only):\n <ul>\n <li>Allow the extension to load scripts from outside its package by supplying their URL in the <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>script-src</code></a> directive.</li>\n <li>Allow the extension to execute inline scripts by <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script\">supplying the hash of the script in the <code>script-src</code> directive</a>.</li>\n <li>Allow the extension to use <code>eval()</code> and similar features by including <code>'unsafe-eval'</code> in the <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>script-src</code></a> directive.</li>\n </ul>\n </li>\n</ul>\n<p>There are restrictions on the policy you can specify with this manifest key:</p>\n<ul>\n <li>The <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>script-src</code></a> directive must include at least the <code>'self'</code> keyword and may only contain secure sources. The set of permitted secure sources differs between Manifest V2 and Manifest V3.</li>\n <li>The policy may include <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src\"><code>default-src</code></a> alone (without <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>script-src</code></a>) if its sources meet the requirement for the <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>script-src</code></a> directive.</li>\n <li>The <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src\"><code>object-src</code></a> keyword may be required, see <a href=\"#object-src_directive\">object-src directive</a> for details.</li>\n <li>Directives that reference code – <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>script-src</code></a>, <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem\"><code>script-src-elem</code></a>, <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src\"><code>worker-src</code></a>, and <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src\"><code>default-src</code></a> (if used as a fallback) – share the same secure source requirement. There are no restrictions on CSP directives that cover non-script content, such as <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src\"><code>img-src</code></a>.</li>\n</ul>\n<p>\n In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are <code>'none'</code>, <code>'self'</code>, and <code>'wasm-unsafe-eval'</code>.\n In Manifest V2, a source for a script directive is considered secure if it meets these criteria:\n</p>\n<ul>\n <li>Wildcard hosts are not permitted, such as <code>\"script-src 'self' *\"</code>.</li>\n <li>Remote sources must use <code>https:</code> schemes.</li>\n <li>Remote sources must not use wildcards for any domains in the <a href=\"https://publicsuffix.org/list/\" class=\"external\" target=\"_blank\">public suffix list</a> (so <code>*.co.uk</code> and <code>*.blogspot.com</code> are not allowed, although <code>*.foo.blogspot.com</code> is permitted).</li>\n <li>All sources must specify a host.</li>\n <li>The only permitted schemes for sources are <code>blob:</code>, <code>filesystem:</code>, <code>moz-extension:</code>, <code>https:</code>, and <code>wss:</code>.</li>\n <li>The only permitted <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directive_syntax\">keywords</a> are: <code>'none'</code>, <code>'self'</code>, <code>'unsafe-eval'</code>, and <code>'wasm-unsafe-eval'</code>.</li>\n</ul>"}},{"type":"prose","value":{"id":"object-src_directive","title":"object-src directive","isH3":false,"content":"<p>The <code><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src\"><code>object-src</code></a></code> directive may be required in some browsers that support obsolete <a href=\"/en-US/docs/Glossary/Plugin\">plugins</a> and should be set to a secure source such as <code>'none'</code> if needed. This may be necessary for browsers up until 2022.</p>\n<ul>\n <li>In Firefox, <code>\"object-src\"</code> it optional from Firefox 106. In earlier versions, if <code>\"object-src\"</code> isn't specified, <code>\"content_security_policy\"</code> is ignored and the default CSP used.</li>\n <li>In Chrome, <code>\"object-src\"</code> is required. If it's missing or deemed insecure, the default (<code>\"object-src 'self'\"</code>) is used and a warning message logged.</li>\n <li>In Safari, there is no requirement for <code>\"object-src\"</code>.</li>\n</ul>\n<p>See W3C WebExtensions Community Group <a href=\"https://github.com/w3c/webextensions/issues/204\" class=\"external\" target=\"_blank\">issue 204</a>, Remove object-src from the CSP, for more information.</p>"}},{"type":"prose","value":{"id":"manifest_v2_syntax","title":"Manifest V2 syntax","isH3":false,"content":"<p>In Manifest V2, there is one content security policy specified against the key like this:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": \"default-src 'self'\"\n</code></pre></div>"}},{"type":"prose","value":{"id":"manifest_v3_syntax","title":"Manifest V3 syntax","isH3":false,"content":"<p>In Manifest V3, the <code>content_security_policy</code> key is an object that may have any of these properties, all optional:</p>\n<figure class=\"table-container\"><table class=\"fullwidth-table standard-table\">\n <thead>\n <tr>\n <th scope=\"col\">Name</th>\n <th scope=\"col\">Type</th>\n <th scope=\"col\">Description</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td><code>extension_pages</code></td>\n <td><code>String</code></td>\n <td>The content security policy used for extension pages. The <code>script-src</code> and <code>worker-src</code> directives may only have these values:\n <ul>\n <li><code>'self'</code></li>\n <li><code>'none'</code></li>\n <li><code>'wasm-unsafe-eval'</code></li>\n </ul>\n </td>\n </tr>\n <tr>\n <td><code>sandbox</code></td>\n <td><code>String</code></td>\n <td>The content security policy used for sandboxed extension pages.</td>\n </tr>\n </tbody>\n</table></figure>"}},{"type":"prose","value":{"id":"examples","title":"Examples","isH3":false,"content":""}},{"type":"prose","value":{"id":"valid_examples","title":"Valid examples","isH3":true,"content":"<div class=\"notecard note\">\n <p>\n <strong>Note:</strong> Valid examples demonstrate the correct use of keys in CSP.\n However, extensions with 'unsafe-eval', remote script, blob, or remote sources in their CSP are not allowed for Firefox extensions per the <a href=\"https://extensionworkshop.com/documentation/publish/add-on-policies/\" class=\"external\" target=\"_blank\">add-on policies</a> and due to significant security issues.\n </p>\n</div>\n<div class=\"notecard note\">\n <p><strong>Note:</strong> Some examples include the <code><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src\"><code>object-src</code></a></code> directive, which provides backward compatibility for older browser versions. See <a href=\"#object-src_directive\">object-src directive</a> for more details.</p>\n</div>\n<p>Require that all types of content should be packaged with the extension:</p>\n<ul>\n <li>\n <p>Manifest V2</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": \"default-src 'self'\"\n</code></pre></div>\n </li>\n <li>\n <p>Manifest V3</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": {\n \"extension_pages\": \"default-src 'self'\"\n}\n</code></pre></div>\n </li>\n</ul>\n<p>Allow remote scripts from \"<a href=\"https://example.com\" class=\"external\" target=\"_blank\">https://example.com</a>\":</p>\n<ul>\n <li>\n <p>Manifest V2</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": \"script-src 'self' https://example.com; object-src 'self'\"\n</code></pre></div>\n </li>\n <li>\n <p>Manifest V3 does not allow remote URLs in <code>script-src</code> of <code>extension_pages</code>.</p>\n </li>\n</ul>\n<p>Allow remote scripts from any subdomain of \"jquery.com\":</p>\n<ul>\n <li>\n <p>Manifest V2</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": \"script-src 'self' https://*.jquery.com; object-src 'self'\"\n</code></pre></div>\n </li>\n <li>\n <p>Manifest V3 does not allow remote URLs in <code>script-src</code> of <code>extension_pages</code>.</p>\n </li>\n</ul>\n<p>Allow <a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#eval%28%29_and_friends\"><code>eval()</code> and friends</a>:</p>\n<ul>\n <li>\n <p>Manifest V2</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": \"script-src 'self' 'unsafe-eval'; object-src 'self';\"\n</code></pre></div>\n </li>\n <li>\n <p>Manifest V3 does not allow <code>'unsafe-eval'</code> in <code>script-src</code>.</p>\n </li>\n</ul>\n<p>Allow the inline script: <code>\"&lt;script&gt;alert('Hello, world.');&lt;/script&gt;\"</code>:</p>\n<ul>\n <li>\n <p>Manifest V2</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": \"script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'\"\n</code></pre></div>\n </li>\n <li>\n <p>Manifest V3 does not allow CSP hashes in <code>script-src</code> of <code>extension_pages</code>.</p>\n </li>\n</ul>\n<p>Keep the rest of the policy, but also require that images should be packaged with the extension:</p>\n<ul>\n <li>\n <p>Manifest V2</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": \"script-src 'self'; object-src 'self'; img-src 'self'\"\n</code></pre></div>\n </li>\n <li>\n <p>Manifest V3</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": {\n \"extension_pages\": \"script-src 'self'; img-src 'self'\"\n}\n</code></pre></div>\n </li>\n</ul>\n<p>Enable the use of <a href=\"/en-US/docs/WebAssembly\">WebAssembly</a>:</p>\n<ul>\n <li>\n <p>Manifest V2</p>\n <p>For backward compatibility, Manifest V2 extensions in Firefox can use WebAssembly without the use of <code>'wasm-unsafe-eval'</code>. However, this behavior isn't guaranteed. See <a href=\"https://bugzil.la/1770909\" class=\"external\" target=\"_blank\">Firefox bug 1770909</a>. Extensions using WebAssembly are therefore encouraged to declare <code>'wasm-unsafe-eval'</code> in their CSP. See <a href=\"/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#webassembly\">WebAssembly</a> on the Content Security Policy page for more information.</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": \"script-src 'self' 'wasm-unsafe-eval'\"\n</code></pre></div>\n </li>\n <li>\n <p>Manifest V3</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json notranslate\"><code>\"content_security_policy\": {\n \"extension_pages\": \"script-src 'self' 'wasm-unsafe-eval'\"\n}\n</code></pre></div>\n </li>\n</ul>"}},{"type":"prose","value":{"id":"invalid_examples","title":"Invalid examples","isH3":true,"content":"<p>Policy that omits the <code>\"object-src\"</code> directive:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json example-bad notranslate\"><code>\"content_security_policy\": \"script-src 'self' https://*.jquery.com;\"\n</code></pre></div>\n<p>However, this is only invalid in browsers that support obsolete <a href=\"/en-US/docs/Glossary/Plugin\">plugins</a>. See <a href=\"#object-src_directive\">object-src directive</a> for more details..</p>\n<p>Policy that omits the <code>\"self\"</code> keyword in the <code>\"script-src\"</code> directive:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json example-bad notranslate\"><code>\"content_security_policy\": \"script-src https://*.jquery.com; object-src 'self'\"\n</code></pre></div>\n<p>Scheme for a remote source is not <code>https</code>:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json example-bad notranslate\"><code>\"content_security_policy\": \"script-src 'self' http://code.jquery.com; object-src 'self'\"\n</code></pre></div>\n<p>Wildcard is used with a generic domain:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json example-bad notranslate\"><code>\"content_security_policy\": \"script-src 'self' https://*.blogspot.com; object-src 'self'\"\n</code></pre></div>\n<p>Source specifies a scheme but no host:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json example-bad notranslate\"><code>\"content_security_policy\": \"script-src 'self' https:; object-src 'self'\"\n</code></pre></div>\n<p>Directive includes the unsupported keyword <code>'unsafe-inline'</code>:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">json</span></div><pre class=\"brush: json example-bad notranslate\"><code>\"content_security_policy\": \"script-src 'self' 'unsafe-inline'; object-src 'self'\"\n</code></pre></div>"}},{"type":"browser_compatibility","value":{"title":"Browser compatibility","id":"browser_compatibility","isH3":false,"query":"webextensions.manifest.content_security_policy"}}],"toc":[{"text":"object-src directive","id":"object-src_directive"},{"text":"Manifest V2 syntax","id":"manifest_v2_syntax"},{"text":"Manifest V3 syntax","id":"manifest_v3_syntax"},{"text":"Examples","id":"examples"},{"text":"Browser compatibility","id":"browser_compatibility"}],"summary":"Extensions have a content security policy (CSP) applied to them by default. The default policy restricts the sources from which extensions can load code (such as \u003cscript> resources) and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this.","popularity":0.002,"modified":"2024-11-19T04:36:44.000Z","other_translations":[{"locale":"de","title":"content_security_policy","native":"Deutsch"},{"locale":"fr","title":"content_security_policy","native":"Français"},{"locale":"ja","title":"content_security_policy","native":"日本語"},{"locale":"ru","title":"content_security_policy","native":"Русский"}],"pageType":"webextension-manifest-key","source":{"folder":"en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy","github_url":"https://github.com/mdn/content/blob/main/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md","last_commit_url":"https://github.com/mdn/content/commit/6368e2b112a343fa00ae1a8cf51ceb0b0b845834","filename":"index.md"},"short_title":"content_security_policy","parents":[{"uri":"/en-US/docs/Mozilla","title":"Mozilla"},{"uri":"/en-US/docs/Mozilla/Add-ons","title":"Add-ons"},{"uri":"/en-US/docs/Mozilla/Add-ons/WebExtensions","title":"Browser extensions"},{"uri":"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json","title":"manifest.json"},{"uri":"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy","title":"content_security_policy"}],"pageTitle":"content_security_policy - Mozilla | MDN","noIndexing":false}}</script></body></html>