Skip to content

security: add explicit Content Security Policy to manifest#11

Merged
melvincarvalho merged 1 commit into
JavaScriptSolidServer:mainfrom
jjohare:security/add-manifest-csp
May 12, 2026
Merged

security: add explicit Content Security Policy to manifest#11
melvincarvalho merged 1 commit into
JavaScriptSolidServer:mainfrom
jjohare:security/add-manifest-csp

Conversation

@jjohare
Copy link
Copy Markdown

@jjohare jjohare commented May 12, 2026

Summary

  • Adds an explicit content_security_policy field to manifest.json for extension pages: script-src 'self'; object-src 'self'
  • MV3 already enforces restrictive CSP defaults, but documenting the policy explicitly prevents accidental relaxation during future development and makes the extension's trust boundary auditable at a glance
  • No functional change to runtime behaviour since this matches the MV3 default

Test plan

  • Load the extension in Chrome and verify it installs without manifest errors
  • Confirm the popup and options pages still load and function correctly
  • Verify chrome://extensions shows no CSP warnings

🤖 Generated with claude-flow

@ruvnet
security: add explicit Content Security Policy to manifest
6224437 
MV3 has restrictive CSP defaults, but an explicit policy documents the
intended security posture, prevents accidental relaxation during future
development, and makes the extension's trust boundary auditable at a
glance.

Co-Authored-By: claude-flow <ruv@ruv.net>
@melvincarvalho melvincarvalho requested a review from Copilot May 12, 2026 23:17
Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an explicit Content Security Policy (CSP) declaration to the Chrome MV3 extension manifest, making the extension-page trust boundary easier to audit and less likely to be accidentally relaxed in future edits.

Changes:

  • Define content_security_policy.extension_pages in manifest.json as script-src 'self'; object-src 'self'.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@melvincarvalho melvincarvalho merged commit ca48fa4 into JavaScriptSolidServer:main May 12, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jjohare @melvincarvalho