Menu
When Migrating MV2 to MV3, Chrome is throwing this error:
Insecure CSP value "" in directive 'script-src'
Here's my content security policy:
"content_security_policy": {
"extension_pages": "script-src 'self' 'https://www.fonts.googleapis.com' 'unsafe-eval'; object-src 'self'"
}
How can I fix this?
868
asked May 20 '26 22:05
According to the section on Remotely hosted code restrictions in the v2 to v3 migration guide:
Remotely hosted code refers to any code that is not included in an extension's package as a loadable resource. For example, the following are considered remotely hosted code:
- JavaScript files pulled from the developer's server.
- Any library hosted on a CDN.
- a code string passed into eval() at runtime
In Manifest V3, all of your extension's logic must be included in the extension. You can no longer load and execute a remotely hosted file.
You'll have to download a local version of the script and reference that
<script src="https://unpkg.com/react@18/umd/react.production.min.js"></script>
<link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet">
<script src="./react-dom.production.min.js"></script>
<link href="./bootstrap.min.css" rel="stylesheet">
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
