Trouble upgrading Content-Security-Policy from third party from Manifest v2 to Manifest v3

[hyfydistro]

I'm unclear how to resolve my invalid CSP. I'm unable to find an example in the Migrating to Manifest v3 Google Chrome extension (https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/#content-security-policy).

Could you provide an example in here for it?

Here is what I have:

Manifest v2

  "content_security_policy": "script-src 'self' 'unsafe-eval' https://cdn.firebase.com https://apis.google.com https://www.gstatic.com; object-src 'self'"

In Manifest v3 they have properties to give value to, but I don't see an example for outside sites.

How do I configure this for Google Chrome extension Manifest v3?

[guest271314]

What exactly are you trying to achieve?

[Ambushfall]

Create a sandbox page that will be available and reachable to other parts of your code with some tweaking and message passing.

Set CORS for Sandbox to include 'unsafe-eval'

for the script src of your extension_pages 'unsafe-eval' will never allow you to load the extension.

[warmhug]

There are few explanations and examples of sandbox and it is difficult to understand.

[M-SAI-SOORYA]

The extension_pages property sets the CSP for the extension's pages to allow scripts from the extension itself ('self') and from external domains like https://cdn.firebase.com, https://apis.google.com, and https://www.gstatic.com. It also allows objects to be loaded only from the extension itself ('self'). Note that you should adjust the script-src and object-src directives to match your specific needs and security requirements.

Also, note that the sandbox property is set to allow scripts and same-origin content. This can help mitigate the risk of vulnerabilities in your code by isolating it from other content on the page.

"content_security_policy": { "extension_pages": "script-src 'self' 'unsafe-eval' https://cdn.firebase.com https://apis.google.com https://www.gstatic.com; object-src 'self'", "sandbox": "allow-scripts allow-same-origin" }