Content Security Policy (CSP)

In order to mitigate a large class of potential cross-site scripting issues, the Microsoft Edge Extension system has incorporated Content Security Policy (CSP). This introduces some strict policies that make Extensions more secure by default, and provides you with the ability to create and enforce rules governing the types of content that can be loaded and run by your Extensions and applications.

In general, CSP works as a block/allowlisting mechanism for resources loaded or run by your Extensions. Defining a reasonable policy for your Extension enables you to carefully consider the resources that your Extension requires, and to ask the browser to ensure that those are the only resources your Extension has access to. The policies provide security over and above the host permissions your Extension requests; they are an additional layer of protection, not a replacement.

On the web, such a policy is defined via an HTTP header or meta element. Inside the Microsoft Edge Extension system, neither is an appropriate mechanism. Instead, an Extension policy is defined using the manifest.json file for the Extension as follows:

    "content_security_policy": "[POLICY STRING GOES HERE]"

For full details regarding the CSP syntax, please take a look at the W3C Content Security Policy specification , and An Introduction to Content Security Policy at HTML5Rocks.

Default Policy Restrictions

Packages that don't define a manifest_version don't have a default content security policy.

Packages that use manifest_version have the following default content security policy:

script-src 'self'; object-src 'self'