The API request in the content scripts was blocked by CSP

works well on chrome.

Do I have to move api requests to background.js?

What code did you used to make that request? Is that fetch?
In any case, I’m a bit surprised it works in Chrome, since CSP should block it there as well.

So yeah, you should send a message to the background script and it can reply with a result (if the message handler returns a Promise, it will be send as result back to the content script).

Yes, it’s fetch.
seems that the latest version of Chrome will also block it😂

I tried the latest version of Chrome(Version 111.0.5563.65 (Official Build) (64-bit)) and it still works.

The CSP is defined by the header of the page you load.
So on some pages, it will work while on others it will not.
But in general, correctly secured page should not allow you to fetch cross origin resource.

Try it on the same page in both browsers.