Base tag injection (CAPEC-86) is a real attack: if an attacker can inject <base href="https://evil.com/"> into an extension page via DOM XSS, all relative URLs in that page — scripts, images, API calls — resolve to the attacker's server. CWE-16 (Configuration) names the failure: omitting base-uri from CSP leaves a bypass path for XSS that circumvents script-src. OWASP A05 (Security Misconfiguration) applies. Setting base-uri 'none' costs nothing and closes a class of attack that bypasses otherwise correct CSP configurations. Chrome extension security guidance lists this as a required directive for hardened CSPs.
Medium because base tag injection requires a prior XSS opportunity, but when that condition exists, it redirects all relative resource loads to an attacker-controlled origin.
Add base-uri 'none'; to your CSP string in manifest.json. This prevents any <base> tag from taking effect, even if one is injected via XSS.
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'none'; base-uri 'none'"
}
Prefer 'none' over 'self' for base-uri — extension pages rarely need a <base> tag, and 'none' is the stricter posture.
ID: extension-permissions-security.content-security-policy.base-uri-restricted
Severity: medium
What to look for: Enumerate all CSP directives from manifest.json. Quote the base-uri directive value. Verify it is set to 'none' or 'self' to prevent base tag injection attacks.
Pass criteria: base-uri is set to 'none' or 'self' in the CSP. At least 1 explicit base-uri directive must be present in the policy string. Quote the actual value found.
Fail criteria: base-uri is missing from the CSP entirely.
Skip (N/A) when: Never — base tag injection is a real attack vector.
Detail on fail: "CSP does not restrict base-uri. Attackers could inject <base> tags to hijack relative links."
Remediation: Add base-uri 'none'; or base-uri 'self'; to your CSP in manifest.json.
"content_security_policy": { "extension_pages": "script-src 'self'; object-src 'none'; base-uri 'none'" }