Chrome Extension Content-security-policy Throwing Errors, While It's Set On *

I've tried all possible setups for the CSP settings in my manifest.json, this is my current (very open and unsafe, I know). When I open the background inspect for the extension, th

Solution 1:

You can only relax CSP in Chrome extensions to a certain extent

"content_security_policy" entry in Chrome Extension manifest allows developers to relax the CSP to a certain extent only. The subset of values allowed for style-src is very limited, quote from the official documentation:

Currently, developers can allowlist origins with the following schemes: blob, filesystem, https, and chrome-extension. The host part of the origin must explicitly be specified for the https and chrome-extension schemes. Generic wildcards such as https:, https://* and https://*.com are not allowed; ...

Many of the values specified in your CSP (eg. * and 'unsafe-inline' for script-src) are not valid in "content_security_policy" and Chrome ignores them (with a warning) when parsing manifest.json.

Why you don't see warnings or errors about the invalid CSP values

I suspect that you might be checking errors in JavaScript console of the background page. You need to check the errors and warnings generated for your manifest.json first. Go to chrome://extensions/ and click on the Errors button for your extension. There will be several warnings such as this:

content_security_policy': Ignored insecure CSP value "*" in directive 'script-src'.

Edit: I just noticed that the Errors page (chrome://extensions/?errors=<extension-id>) behaves inconsistently. There seems to be a bug that causes the warnings about ignored CSP values to only show up after reloading the extension.

Links to documentation:

"content_security_policy" in Chrome

"content_security_policy" in Firefox (The specification is basically identical but I find the documentation on MDN nicer and easier to follow.)