How do you implement Content Security Policy on local extension page?

I’m working on an extension where you need to encrypt or decrypt data. Naturally, I want to make sure that only the scripts from my extension are able to run on the local HTML page, to prevent the possibility to the password field being captured by another script.

I know that on a website, you can use the CSP header to prevent other scripts from running. It is possible to do something similar on a local HTML page within my extension? If so, does anyone have a demo of what the code would look like?

For example, I don’t want the pages of my extension to be accessible to the content-scripts of other extensions because they could potentially grab the text of the password field.

You can use the http-equiv meta tag with CSPs, though some directives don’t have full effect. Though I think your default extension CSP also applies to every HTML page bundled with your extension.

Lastly, while you can’t control content-scripts using CSPs, no content-script that isn’t your own can be attached to your extension’s page in the first place (to avoid privilege escalation, like the one you describe).

1 Like

Ok, that’s good to know. I guess what I’m trying to do has already been done by Mozilla, so that’s good. Thanks!