Content Security Policy (CSP) Generator

A Content Security Policy (CSP) is a security header that tells browsers which sources of content are allowed to load. It prevents XSS attacks by blocking scripts and styles from unauthorized sources.

Yes. Chrome Extensions have a default CSP, and MV3 has strict CSP rules that ban 'unsafe-eval'. You can customize the CSP in your manifest.json under 'content_security_policy'.

'self' means the current origin (your extension's own files). It allows loading resources from your extension's own package, but blocks external domains by default.

'unsafe-inline' allows inline JavaScript (like onclick handlers) and inline CSS. This is dangerous because it opens the door to XSS attacks. Use it only for styles when absolutely necessary, never for scripts.

In manifest.json, add: "content_security_policy": {"extension_pages": "script-src 'self'; object-src 'self'; ..."}. For web-accessible resources, use the 'sandbox' key instead.