Chrome Extension Content Security Policy
Content Security Policy is an HTTP response header that helps mitigate XSS attacks on modern browsers. It restricts the resources that a page can load, and it allows for reporting of violations by browsers.
It can be bypassed by extensions, which use the Chrome webRequest API to intercept and modify incoming and outgoing requests. This can lead to serious vulnerabilities, such as stealing login credentials or browsing habits.
For example, if you have an Extension that uses fonts from a third-party source, the default policy will block those fonts and may cause errors. This is because Chrome will attempt to load the fonts from multiple origins, and a man-in-the-middle attacker can replace those original sources with malicious ones.
A solution to this problem is the report-uri directive, which instructs the browser to send CSP violations to a specified URI. This can be used to debug issues with the policy, but it should be avoided for production use. In addition, you should avoid using DOM injected scripts, which are more vulnerable to attacks and can be replaced with a different implementation by attackers.
This is an optional manifest key that defines restrictions on the pages and workers in an extension. It prevents extension pages from accessing the browser APIs or direct access to other sites, preventing XSS attacks. It also allows extensions to read files on the file system (but not write to them unless you give permission in the CSP settings page).
The sandbox policy limits the pages that an extension can open. It does not allow scripts to be loaded in windows or frames, and it prevents eval from being used. It also sets a unique origin for the sandbox and restricts form submission.
The sandbox policy is an excellent option for developers who want to protect their code from security issues. The sandbox allows you to monitor the policy without blocking any resources, which is useful for evaluating the impact of new rules before rolling out the full CSP. When the sandbox policy is enabled, the browser will send a Content-Security-Policy-Report-Only header to notify you of any violations.
Extension pages policy
The extension pages policy is an optional manifest key that defines restrictions on the scripts, styles, and other resources an extension can use. It also limits the amount of information shared between the extension page and the main world, making it harder to exploit a bug in an extension.
It restricts the sources from which extensions can load code and disallows potentially unsafe practices such as eval(). The policy can be customized as desired by the extension developer.
Larger / more popular extensions tend to relax the rules on this a little bit, since they don’t want to risk being rejected from the Chrome Web Store for violating Google’s TOS (Terms of Service). Nevertheless, allowing an extension to declare all its resources as web-accessible will expose them to a wide variety of attacks. For example, if an extension is vulnerable to HTML injection, it may be possible for an attacker to steal sensitive data through the extension page by injecting code.
When implementing CSP, it’s important to test the implementation and ensure that it doesn’t break any features on your site. You can do this by sending the CSP header with the “report-only” option. This will send a report to the browser but not enforce the policy.
CSP requires all
For developers, it’s recommended to whitelist all libraries and services used by an extension so that these can be trusted. This will prevent them from being blocked by CSP, and it will help the developer detect if the library or service has been changed without their knowledge.