6

in the Google chrome documentation I found that I can add content Security Policy to allow an external javascript file to work on my extension.

but I couldn't find how to add multiple ones. Is it an array of Strings?

"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"

I tried to put multiple lines like that but it doesn't work. Goes error:

Refused to load the script https://example.com because it violates the following Content Security Policy directive: "script-src 'self' https://example.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Creeper
  • 386
  • 3
  • 16

1 Answers1

6

CSP policy is a single string (containing a semicolon-separated list of directives and their arguments). It applies to all extension pages.

If you need a single policy with multiple sources, you can do that. In fact, you already have that: 'self' and https://example.com are two sources.

Read about CSP in general and script-src directive, e.g. on the MDN.

Syntax

One or more sources can be allowed for the script-src policy:

Content-Security-Policy: script-src <source>;
Content-Security-Policy: script-src <source> <source>;

So you just need to space-separate them between script-src and the semicolon.

Make sure that your sources do not contain paths.
E.g. https://example.com is OK, but https://example.com/ or https://example.com/script.js are not.

If you need multiple independent policies for different pages, I'm afraid you can't do that.

Community
  • 1
  • 1
Xan
  • 74,770
  • 16
  • 179
  • 206