content-security-policy

Question is regarding having CSP served twice: What's the behavior if there is one policy served through the Content-Security-Policy HTTP response header and also another policy specified with the <meta /> element? Will those two be merged somehow? Or else which one has priority? (I cannot find clear info on this in the spec). Specific use case might be serving Report-to through the HTTP response header and putting all other restrictions in the <meta /> element — because some of those are generated by webpack - and if I shouldn't be worried about <meta /> shallowed by the HTTP response-header

Small problem with my chrome extension. I just wanted to get a JSON array from another server. But manifest 2 doesn't allow me to do it. I tried specify content_security_policy , but the JSON array is stored on a server without SSL cert. So, what should I do without using manifest 1? The CSP cannot cause the problem you've described. It's very likely that you're using JSONP instead of plain JSON. JSONP does not work in Chrome, because JSONP works by inserting a <script> tag in the document, whose src attribute is set to the URL of the webservice. This is disallowed by the CSP . Provided that

I am making a chrome extension that will open all links on a page in new tabs. Here are my code files: manifest.json { "name": "A browser action which changes its icon when clicked.", "version": "1.1", "permissions": [ "tabs", "<all_urls>" ], "browser_action": { "default_title": "links", // optional; shown in tooltip "default_popup": "popup.html" // optional }, "content_scripts": [ { "matches": [ "<all_urls>" ], "js": ["background.js"] } ], "manifest_version": 2 } popup.html <!doctype html> <html> <head> <title>My Awesome Popup!</title> <script> function getPageandSelectedTextIndex() { chrome