Connect-src is limited

CWE-200 (Exposure of Sensitive Information) applies when connect-src is unrestricted: an XSS vulnerability in an extension page could exfiltrate user data, stored credentials, or browsing history to an arbitrary attacker-controlled server if connect-src allows *. OWASP A05 (Security Misconfiguration) governs this: a CSP that restricts scripts but not network connections provides incomplete protection. An explicit connect-src allowlist is also a trust signal to users and Chrome Web Store reviewers — it makes explicit which servers the extension communicates with, which is a requirement for extensions handling sensitive user data.

Add an explicit connect-src directive in manifest.json CSP listing only the API backends your extension actually contacts.

"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'none'; connect-src 'self' https://api.yourdomain.com"
}

Do not use connect-src * or connect-src https: — these defeat the purpose of CSP network restrictions. If your extension uses WebSockets, add the wss:// equivalent of your backend explicitly.

• ID: extension-permissions-security.host-permissions-minimization.connect-src-limited

• Severity: low

• What to look for: Quote the connect-src directive from the CSP in manifest.json. Count the number of backend endpoints listed. Check for wildcards or overly broad domains.

• Pass criteria: connect-src lists at most specific API backends with no more than 0 wildcard (*) or broad https: entries. Report the count of connect-src entries found and list the allowed backends.

• Fail criteria: connect-src allows * or broad wildcards (unless justified for a general API tool).

• Skip (N/A) when: CSP not explicit (default allows self).

• Detail on fail: "CSP connect-src is overly broad — allows connections to any server."

• Remediation: Lock down which servers your extension can send data to in manifest.json CSP.

  "content_security_policy": { "extension_pages": "connect-src 'self' https://api.yourdomain.com" }