Resources / Extension Security

Content Security Policy (CSP)

Reduce attack surface with strict, documented rules.

Core rules

  • No inline/eval: forbid unsafe-inline/unsafe-eval; use hashed/nonce scripts only.
  • Restrict connect-src: whitelist the minimum backend domains; block wildcards.
  • Explicit media rules: set img-src/media-src/font-src precisely.
  • Documented allowlist: keep an owner and review cadence for every domain.

Process

  • Inventory outbound calls from service worker, content scripts, and UI surfaces.
  • Whitelist minimal set by environment (prod/stage/dev) with feature flags.
  • Add monitors (telemetry on blocked requests; error sampling).
  • Review quarterly to prune unused hosts and update ownership.

Pitfalls

  • Wildcard connect-src that masks unexpected data flows.
  • Silently adding CDNs via libraries without updating CSP.
  • Missing documentation for why a domain is required.
Secret Management Performance & Security