Chrome extension how to include content security policy for chrome-extension://

Question

I have tests running for my chrome extension and I execute them from chrome-extension://extensionid/tests.html

I get content security policy errors that do not allow in-line scripts. Is there any way that I can remove these while testing? (add a meta tag that disables it for that html or some other way that won't make the extension less secure?)

I have added the following in the head of my test.html page

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-jynp9uOEMlgu3tR4l2Dr3s2aDinAZ60XBJB90peqSiY=' 'sha256-15MCFd4+StoldY1/R3pkitrT0zw4gNvsPZieV/QiqRE=' 'sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=' 'sha256-PnGpdwmF8gaODbB6epAipygkpV6GFPS46JZtI9veRzU=' 'sha256-J4clsEh5/6tMX7sob7FXvQGfQUYKmTGqi2iPvj3P6n4=' https://apis.google.com/ https://www.gstatic.com/ https://*.firebaseio.com https://www.googleapis.com https://ajax.googleapis.com; object-src 'self'">

But I still get errors in the console about content security policy. The error shows still the old policy from my manifest.json.

Answer 1

1. Actually wOxxOm answered fist part of the question - the additional headers/ could make the resulting CSP more restrictive only.

When multuple CSPs presents, to be applyed all sources/tokens should pass unscratched via all CSPs (filtered through all policies) - this section is not normative in CSP spec, but the test shows that Chrome and Firefox follow it. It does not matter how CSPs where delivered to the page via HTTP header, <meta>-tag or even HTTP header + meta.

As you wrote The error shows still the old policy from my manifest.json - it menas this CSP is more restrictive in your case.

2. If you won't to make the extension less secure - just move sha256-values from meta-tag to CSP in the manifest.json. This will allow inline scripts with those hashes only, no one other script will be allowed.

Negative moment - you need to recalc hasheas after each scripts changes, but Chrome will do it for you