In mv3 , Do we need to mention the api link in content_security_policy?

[Tazim mahta]

I am developing an extension that uses an API without mentioning the link in the content_ security_policy in manifest.json .if I add the link in the content_ security_policy then its shows the following error 

'content_security_policy.extension_pages': Insecure CSP value "https://cms.example.com/api/*" in directive 'script-src'.

I am using this in the manifest:    

"content_security_policy": {

    "extension_pages": "script-src 'self' https://cms.example.com/api/*; object-src 'self'"

  }

 Now removing the CSP, It's working fine in locally. Will that cause any error while publishing in the web store? ( I am new and struggling to understand CSP, can anyone help)?

[Stefan Van Damme]

Hi there,

If you want to fetch data then use connect-src. Example:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src

Thanks,

Stefan vd

[Pawel Kacprzak]

I don't think connect-src is required, am I missing something?

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/2d7f7667-6365-415c-b802-c879e588726dn%40chromium.org.