Any way to avoid Content Security Policy violations for elements inserted by extensions?

Question

Created 3d

Replies 2

Boosts 0

Participants 2

This post is from the WWDC26 Web Extensions Q&A.

Hi! It seems like in Safari, elements inserted into a page by web extensions (such as <style> and <script> elements) are currently subject to the page's Content Security Policy. If the CSP is strict enough, this prevents these elements from loading.

Based on my testing, I've found that this behavior is different in other browsers, where a page's CSP is not applied to elements inserted by an extension.

Is this expected behavior in Safari, or might it be considered a bug? Any advice on working around these restrictions, as it currently prevents my extension from working correctly on websites with a strict CSP?

Answer 1

Frameworks Engineer OP

Apple

3d

To help us look into this further, could you share more about what scripts or styles your extension is injecting, and what errors you’re seeing in Web Inspector’s Console? Any specifics on which browsers behave differently would be really useful too.

If you can reproduce it consistently, please file a report at either bugs.webkit.org or feedbackassistant.apple.com including the URL of a page/site where this happens, a minimal sample extension that shows the issue, and any Web Inspector console messages. That will help us investigate. Thanks!

Answer 2

jeffreyk OP

3d

The violation happens for any script or style injected, as long as it violates the script-src or style-src CSP directive set by a page. The same actually happens for <img> elements when they violate the img-src directive.

When the extension inserts the element, a securitypolicyviolation event is sent and a related error message is shown in the console. The same script works without issue at least in Chrome.

I'll file a report with more info and a sample extension for this. Thanks!