CSP script-src directive


In the extension settings, into Capabilities tab, the new CSP settings allow me to customize img-src, media-src and connect-src directives.

What about the script-src directive? Should I add that directly into the header of my index.html file?

It seems that one of the google firebase script that I use (I have no control over it) is trying to randomly add a script to my extension html which is blocked.
How should I proceed?

Thank you,

script-src is not supported.

Javascript is allowed from the following locations

  • Twitch (for the Extension Helper)
  • Your Extension
  • Google Analytics

And that is it

you cannot modify the script-src CSP for security reasons.

So you should be able to include the firebase script locally and not from their CDN

See also: “Scripts (JavaScript)”

And a final note: HTML HEAD/meta CSP’s are not supported by twitch at all.

The google firebase package is included in my bundle, but the code is trying to import a script at runtime (manipulating dom and adding a script tag). I have no control over this. What should I do?

Sounds like this version of Firebase is not supported for Twitch Extension or you need to read further on firebase on how to tell firebase not to do this