and resources, and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this.">
{"doc":{"isMarkdown":true,"isTranslated":false,"isActive":true,"flaws":{},"title":"content_security_policy","mdn_url":"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy","locale":"en-US","native":"English (US)","sidebarHTML":"\n
    \n
  1. 浏览器扩展名
    2. \n
  2. \n
    \n 快速入门 \n
      \n
    1. What are extensions?
      2. \n
    2. Your first extension
      3. \n
    3. Your second extension
      4. \n
    4. Anatomy of an extension
      5. \n
    5. Example extensions
      6. \n
    6. What next?
      7. \n
    \n
    \n
    3. \n
  3. \n
    \n 概念 \n
      \n
    1. Using the JavaScript APIs
      2. \n
    2. Content scripts
      3. \n
    3. Match patterns
      4. \n
    4. Working with files
      5. \n
    5. 国际化
      6. \n
    6. Content Security Policy
      7. \n
    7. Native messaging
      8. \n
    8. Differences between API implementations
      9. \n
    9. Chrome incompatibilities
      10. \n
    \n
    \n
    4. \n
  4. \n
    \n 用户界面 \n
      \n
    1. 用户界面
      2. \n
    2. Toolbar button
      3. \n
    3. Address bar button
      4. \n
    4. Sidebars
      5. \n
    5. Context menu items
      6. \n
    6. Options page
      7. \n
    7. Extension pages
      8. \n
    8. Notifications
      9. \n
    9. Address bar suggestions
      10. \n
    10. Developer tools panels
      11. \n
    \n
    \n
    5. \n
  5. \n
    \n 如何 \n
      \n
    1. Intercept HTTP requests
      2. \n
    2. Modify a web page
      3. \n
    3. Insert external content
      4. \n
    4. Share objects with page scripts
      5. \n
    5. Add a button to the toolbar
      6. \n
    6. Implement a settings page
      7. \n
    7. Work with the Tabs API
      8. \n
    8. Work with the Bookmarks API
      9. \n
    9. Work with the Cookies API
      10. \n
    10. Work with contextual identities
      11. \n
    11. Interact with the clipboard
      12. \n
    12. Build a cross-browser extension
      13. \n
    \n
    \n
    6. \n
  6. \n
    \n Firefox differentiators \n
    \n
    7. \n
  7. \n
    \n JavaScript API \n
    1. Browser support for JavaScript APIs
    2. alarms
    3. bookmarks
    4. browserAction
    5. browserSettings
    6. browsingData
    7. captivePortal
    8. clipboard
    9. 命令
    10. contentScripts
    11. contextualIdentities
    12. Cookie
    13. devtools
    14. dns
    15. downloads
    16. events
    17. extension
    18. extensionTypes
    19. find
    20. history
    21. i18n
    22. identity
    23. idle
    24. management
    25. menus
    26. notifications
    27. omnibox
    28. pageAction
    29. permissions
    30. pkcs11
    31. privacy
    32. proxy
    33. runtime
    34. search
    35. sessions
    36. sidebarAction
    37. storage
    38. tabs
    39. theme
    40. topSites
    41. 类型
    42. userScripts
    43. webNavigation
    44. webRequest
    45. windows
    \n
    \n
    8. \n
  8. \n
    \n Manifest keys \n
      \n
    1. 介绍
      2. \n
    \n
    1. 作者
    2. background
    3. browser_action
    4. browser_specific_settings
    5. chrome_settings_overrides
    6. chrome_url_overrides
    7. 命令
    8. content_scripts
    9. content_security_policy
    10. default_locale
    11. description
    12. developer
    13. devtools_page
    14. dictionaries
    15. externally_connectable
    16. homepage_url
    17. icons
    18. incognito
    19. manifest_version
    20. 名称
    21. offline_enabled
    22. omnibox
    23. optional_permissions
    24. options_page
    25. options_ui
    26. page_action
    27. permissions
    28. protocol_handlers
    29. short_name
    30. sidebar_action
    31. storage
    32. theme
    33. theme_experiment
    34. user_scripts
    35. version
    36. version_name
    37. web_accessible_resources
    \n
    \n
    9. \n
  9. \n
    \n Extension Workshop \n
      \n
    1. Develop
      2. \n
    2. Publish
      3. \n
    3. Manage
      4. \n
    4. Enterprise
      5. \n
    \n
    \n
    10. \n
  10. Contact us
    11. \n
  11. \n
    \n Channels \n
      \n
    1. Add-ons blog
      2. \n
    2. Add-ons forum
      3. \n
    3. Add-ons chat
      4. \n
    \n
    \n
    12. \n
\n","body":[{"type":"prose","value":{"id":null,"title":null,"isH3":false,"content":" \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
类型 字符串
Mandatory No
范例 \n 
											\"content_security_policy\": \"default-src 'self'\"
\n
\n

Extensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load <script> and <object> resources, and disallows potentially unsafe practices such as the use of eval() 。见 Default content security policy to learn more about the implications of this.

\n

可以使用 \"content_security_policy\" manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of CSP syntax.

\n

For example, you can use this key to:

\n \n

There are restrictions on the policy you can specify here:

\n
    \n
  • The policy may include just default-src , but if not the policy must include at least the script-src object-src directives, and the script-src directive must contain the keyword 'self' .
    • \n
  • Remote sources must use https: schemes.
    • \n
  • Remote sources must not use wildcards for any domains in the public suffix list (so \"*.co.uk\" and \"*.blogspot.com\" are not allowed, although \"*.foo.blogspot.com\" is allowed).
    • \n
  • All sources must specify a host.
    • \n
  • The only permitted schemes for sources are: blob: , filesystem: , moz-extension: , https: ,和 wss: .
    • \n
  • The only permitted 关键词 是: 'none' , 'self' ,和 'unsafe-eval' .
    • \n
"}},{"type":"prose","value":{"id":"Example","title":"Example","isH3":false,"content":""}},{"type":"prose","value":{"id":"Valid_examples","title":"Valid examples","isH3":true,"content":"
\n

\n 注意: Valid examples demonstrate the correct use of keys in CSP.\n However, extensions with 'unsafe-eval', remote script, blob, or remote sources in their CSP are not allowed for Firefox extensions as per the add-on policies and due to major security issues.\n

\n
\n

Require that all types of content should be packaged with the extension:

\n 
											\"content_security_policy\": \"default-src 'self'\"\n
\n

Allow remote scripts from \"https://example.com\":

\n 
											\"content_security_policy\": \"script-src 'self' https://example.com; object-src 'self'\"\n
\n

Allow remote scripts from any subdomain of \"jquery.com\":

\n 
											\"content_security_policy\": \"script-src 'self' https://*.jquery.com; object-src 'self'\"\n
\n

Allow eval() and friends :

\n 
											\"content_security_policy\": \"script-src 'self' 'unsafe-eval'; object-src 'self';\"\n
\n

Allow the inline script: \"<script>alert('Hello, world.');</script>\" :

\n 
											\"content_security_policy\": \"script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'\"\n
\n

Keep the rest of the policy, but also require that images should be packaged with the extension:

\n 
											\"content_security_policy\": \"script-src 'self'; object-src 'self'; img-src 'self'\"\n
"}},{"type":"prose","value":{"id":"Invalid_examples","title":"Invalid examples","isH3":true,"content":"

Policy that omits the \"object-src\" directive:

\n 
											\"content_security_policy\": \"script-src 'self' https://*.jquery.com;\"\n
\n

Policy that omits the \"self\" keyword in the \"script-src\" directive:

\n 
											\"content_security_policy\": \"script-src https://*.jquery.com; object-src 'self'\"\n
\n

Scheme for a remote source is not https :

\n 
											\"content_security_policy\": \"script-src 'self' http://code.jquery.com; object-src 'self'\"\n
\n

Wildcard is used with a generic domain:

\n 
											\"content_security_policy\": \"script-src 'self' https://*.blogspot.com; object-src 'self'\"\n
\n

Source specifies a scheme but no host:

\n 
											\"content_security_policy\": \"script-src 'self' https:; object-src 'self'\"\n
\n

Directive includes the unsupported keyword 'unsafe-inline' :

\n 
											\"content_security_policy\": \"script-src 'self' 'unsafe-inline'; object-src 'self'\"\n
"}},{"type":"browser_compatibility","value":{"title":"Browser compatibility","id":"Browser_compatibility","isH3":false,"query":"webextensions.manifest.content_security_policy","dataURL":"/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy/bcd.json"}}],"toc":[{"text":"Example","id":"Example"},{"text":"Browser compatibility","id":"Browser_compatibility"}],"summary":"Extensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load