Manifest - Sandbox
Defines a collection of extension pages that are to be served in a sandboxed unique origin. The Content Security Policy used by an extension's sandboxed pages is specified in the
Being in a sandbox has two implications:
- A sandboxed page will not have access to extension APIs, or direct access to non-sandboxed pages (it may communicate with them via
- A sandboxed page is not subject to the Content Security Policy (CSP) used by the rest of the extension (it has its own separate CSP value). This means that, for example, it can use inline script and
For example, here's how to specify that two extension pages are to be served in a sandbox with a custom CSP:
"sandbox": "sandbox allow-scripts; script-src 'self' https://example.com"
If not specified, the default
content_security_policy value is
sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';.
You can specify your CSP value to restrict the sandbox even further, but it MUST include the
sandbox directive and MUST NOT have the
allow-same-origin token (see the HTML5 specification for possible sandbox tokens).
pages list because they will use the sandbox of the frame that embeds them.
"Using eval in Chrome Extensions. Safely." goes into more detail about implementing a sandboxing workflow that enables use of libraries that would otherwise have issues executing under extension's default Content Security Policy.
Sandboxed pages may only be specified when using
manifest_version 2 or above.