As part of our efforts to make add-ons safer for users, and to support evolving manifest v3 features, we are making changes to apply the Content Security Policy (CSP) to content scripts used in extensions.
You can see how your extension will be affected by testing this feature in Nightly or Beta. For more information, please see the Add-ons Blog.
I may have just missed it, but what’s the CSP for content scripts with this change? The same as the one that currently applies to extension pages by default? And what does no remote scripts mean for content scripts? Since content scripts aren’t really html pages… Or is it that they can’t inject script tags that load a script from remote resource?
Developers can no longer use CSP directives that enable remotely hosted code (code that is not bundled with the extension). Manifests that include such directives will error at parse time. …
This will require two sets of csp defaults, one for v2 and one for v3. As well, if bug 1594235 is implemented, we’ll need a separate set for that.