Script sources are safe (no wildcards)

ab-001324 · extension-permissions-security.content-security-policy.script-src-safe

Severity: criticalactive

Why it matters

CWE-79 (Cross-Site Scripting) in an extension context is substantially more dangerous than on a website: extension pages run with privileged access to chrome.* APIs, so an XSS that executes in an extension page can read storage, make API requests, or exfiltrate data from all tabs the extension accesses. CWE-693 (Protection Mechanism Failure) names the category. In Manifest V3, remote code execution is outright banned by Chrome policy; any script-src directive permitting remote URLs will cause CWS rejection. Wildcards in script-src (e.g., https:) completely defeat CSP. The Chrome MV3 CSP documentation makes this a hard requirement, not a recommendation.

Severity rationale

Critical because a permissive `script-src` in an extension page allows script injection into a privileged context with direct access to Chrome APIs, turning any XSS into full extension compromise.

Remediation

Set script-src to 'self' only in manifest.json CSP. Bundle all libraries locally — do not load scripts from CDNs. In MV3, any remote script source is a CWS policy violation.

"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'none'"
}

If you need WebAssembly, add 'wasm-unsafe-eval' only — not the broader 'unsafe-eval'.

Detection

ID: script-src-safe
Severity: critical
What to look for: Quote the actual content_security_policy string from manifest.json. Enumerate all entries in the script-src directive (or default-src if script-src is missing). Count the number of remote domains listed.
Pass criteria: script-src contains only 'self', 'wasm-unsafe-eval' (if needed for WebAssembly), or specific blob:/filesystem: schemes if strictly necessary. No more than 0 remote domains (e.g., https://code.jquery.com) in MV3 (remote code is banned). Quote the actual script-src value found.
Fail criteria: script-src contains wildcards (*, https:, http:), or remote domains in MV2.
Skip (N/A) when: CSP is not defined (defaults to 'self' in MV3, generally safe, but explicit is better).
Detail on fail: "CSP script-src contains wildcards or remote sources."
Remediation: Remove remote script sources from manifest.json CSP. Bundle all libraries locally. In MV3, remote code is strictly prohibited.
```
"content_security_policy": { "extension_pages": "script-src 'self'; object-src 'none'" }
```

External references

cwe · CWE-79 — Improper Neutralization of Input During Web Page Generation (XSS)
cwe · CWE-693 — Protection Mechanism Failure
owasp:2021 · A03
external · chrome-mv3-csp — Chrome Extensions MV3: Content Security Policy

Taxons

injection-and-input-trust

History

2026-04-18·v1.0.0·Initial import from extension-permissions-security·automated

Why it matters

Remediation

Set script-src to 'self' only in manifest.json CSP. Bundle all libraries locally — do not load scripts from CDNs. In MV3, any remote script source is a CWS policy violation.

"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'none'"
}

If you need WebAssembly, add 'wasm-unsafe-eval' only — not the broader 'unsafe-eval'.

Detection

ID: script-src-safe
Severity: critical
What to look for: Quote the actual content_security_policy string from manifest.json. Enumerate all entries in the script-src directive (or default-src if script-src is missing). Count the number of remote domains listed.
Pass criteria: script-src contains only 'self', 'wasm-unsafe-eval' (if needed for WebAssembly), or specific blob:/filesystem: schemes if strictly necessary. No more than 0 remote domains (e.g., https://code.jquery.com) in MV3 (remote code is banned). Quote the actual script-src value found.
Fail criteria: script-src contains wildcards (*, https:, http:), or remote domains in MV2.
Skip (N/A) when: CSP is not defined (defaults to 'self' in MV3, generally safe, but explicit is better).
Detail on fail: "CSP script-src contains wildcards or remote sources."
Remediation: Remove remote script sources from manifest.json CSP. Bundle all libraries locally. In MV3, remote code is strictly prohibited.
```
"content_security_policy": { "extension_pages": "script-src 'self'; object-src 'none'" }
```