CSP and Browser Extensions: Common Mistakes to Fix
Browser extensions make CSP debugging weird. You lock down script-src, remove inline code, add nonces, maybe even deploy strict-dynamic, and then someone on the team says: “Why is this extension still injecting stuff into our page?” Or worse: “Why is our app breaking only for users with ad blockers?” That confusion usually comes from one bad assumption: people expect a site’s CSP to control browser extensions the same way it controls page code. It doesn’t. ...