Content Security Policy
CSP works as a black/whitelisting mechanism for resources loaded or executed by your extensions
.
These policies provide security over and above the host permissions
your extension requests; they’re an additional layer of protection, not a replacement.
On the web, such a policy is defined via an HTTP header or meta element.
Content Scripts
The policy that we have been discussing applies to the background pages
and event pages
of the extension. How they apply to the content scripts
of the extension is more complicated.
Content scripts are generally not subject to the CSP of the extension.
Default Policy Restrictions
script-src 'self'; object-src 'self'
This policy adds security by limiting extensions and applications in three ways:
- Eval and related functions are disabled
- Inline JavaScript will not be executed
- Only local script and and object resources are loaded