I want to migrate my Chrome Extension to manifest V3.
The content_security policy looks as follows on manifest V2:
{...
"content_security_policy": "script-src 'self' 'sha256-...'; object-src 'self'"
}
Notice that I'm using sha-256 value which is the most specific property.
Furthermore, I performed a "semi-official" converting using this tool.
When I convert the manifest to V3 and then update the extension, I get the following error. I don't understand why it is considered as an insecure CSP value, while it is accepted on Manifest V2 and is considered secure to use the specified hash value of the code.
How can I overcome it?
CodePudding user response:
In manifest MV3, CSP is an object, however in the error it is a string, so it needs to be reformatted.
Example and instructions from migration guide:
Manifest V2
"content_security_policy": "..."
Manifest V3
"content_security_policy": {
"extension_pages": "...",
"sandbox": "..."
}
extension_pages: This policy covers pages in your extension, including html files and service workers.
These page types are served from thechrome-extension://
protocol. For instance, a page in your extension ischrome-extension://<extension-id>/foo.html
.sandbox: This policy covers any sandboxed extension pages that your extension uses.
Important!
In addition, MV3 disallows certain CSP modifications for extension_pages that were permitted in MV2. The script-src, object-src, and worker-src directives may only have the following values:
- self
- none
- Any localhost source, (http://localhost, http://127.0.0.1, or any port on those domains)
CSP modifications for sandbox have no such new restrictions.
Going through this guide, it seems having sha-256 values is not allowed for extension pages. But these are typically inlined scripts. You can save the script as a js file, and load it from there using <script/>
tag instead; this will not require CSP policy.