Base URI is restricted

Base tag injection (CAPEC-86) is a real attack: if an attacker can inject <base href="https://evil.com/"> into an extension page via DOM XSS, all relative URLs in that page — scripts, images, API calls — resolve to the attacker's server. CWE-16 (Configuration) names the failure: omitting base-uri from CSP leaves a bypass path for XSS that circumvents script-src. OWASP A05 (Security Misconfiguration) applies. Setting base-uri 'none' costs nothing and closes a class of attack that bypasses otherwise correct CSP configurations. Chrome extension security guidance lists this as a required directive for hardened CSPs.

Add base-uri 'none'; to your CSP string in manifest.json. This prevents any <base> tag from taking effect, even if one is injected via XSS.

"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'none'; base-uri 'none'"
}

Prefer 'none' over 'self' for base-uri — extension pages rarely need a <base> tag, and 'none' is the stricter posture.

• ID: base-uri-restricted

• Severity: medium

• What to look for: Enumerate all CSP directives from manifest.json. Quote the base-uri directive value. Verify it is set to 'none' or 'self' to prevent base tag injection attacks.

• Pass criteria: base-uri is set to 'none' or 'self' in the CSP. At least 1 explicit base-uri directive must be present in the policy string. Quote the actual value found.

• Fail criteria: base-uri is missing from the CSP entirely.

• Skip (N/A) when: Never — base tag injection is a real attack vector.

• Detail on fail: "CSP does not restrict base-uri. Attackers could inject <base> tags to hijack relative links."

• Remediation: Add base-uri 'none'; or base-uri 'self'; to your CSP in manifest.json.

  "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'none'; base-uri 'none'" }