New Extensions policy for Content Security Policy (CSP) directives and timeline for enforcement

Since its launch, thousands of Extensions have delivered exciting and dynamic experiences to millions of creators and viewers on Twitch. As the Extensions framework allows a high level of flexibility, we must occasionally make technical and policy changes to ensure the security, privacy, and safety of our communities. Today we are announcing a new policy for Extensions for this reason:

2.12 You must provide all URLs that are fetched by the Extension front end on each version submission, this includes but is not limited to images, video, audio, and fetch/XHR requests.

Alongside this new policy, Extensions developers must now set three new fields in the metadata of their Extension, “Allowlist for Image Domains”, “Allowlist for Media Domains”, and “Allowlist for URL Fetching Domains”. These fields will be used to define the allowed domains in the CSP directives img-src, media-src, and connect-src respectively. With these fields, developers will be able to define the domains that images and media can be safely loaded from, and which HTTPS/WSS domains can be safely connected to.

Starting today, you can submit new Extension versions with these domain allowlists defined. On Tuesday, January 25, 2022, all Extensions will be rendered with CSP policy enforced to only allow resources from your domain allowlists. We are making this announcement today to allow you sufficient time to update your Extension.

If you have any questions about this change, please consult the FAQ below, and feel free to comment directly on this thread.

Frequently Asked Questions

How can I test this change before the January 25 enforcement date?

While your Extension is in Hosted Test, you can use a tool to modify the headers (e.g. SimplyModifyHeaders) to rewrite your local CSP rules to only allow your list of trusted domains. You will add your domains to the CSP directives img-src, media-src, and connect-src. More information on CSPs can be found here.

Do all Extensions require setting the domains allowlists?

Any Extension that serves front-end resources outside of the uploaded asset package, or connects to a remote resource (XHR, WebSockets), will need to specify the trusted domains that will be used. If all of your front-end resources are included in your uploaded asset package, and your front end does not connect to a remote resource, you will not need to set anything in the domain allowlist fields.

Are any domains prohibited in the allowlist?

As a general rule, we cannot allow base domains of public hosting services. For example, if you are serving assets out of Amazon Web Services S3, we cannot allow https://s3.us-west-2.amazonaws.com, but we could allow the domain name that specifies your bucket: (e.g., https://some-bucket.s3.us-west-2.amazonaws.com).

What happens to my live Extension if no changes are made by the enforcement date?

Any requests to include or to connect to resources will be blocked by the CSP, with the exception of resources included in your asset package, served from Twitch’s CDN.

2 Likes

A given extensions current CSP is

content-security-policy: default-src 'self' https://{CLIENTID}.ext-twitch.tv; block-all-mixed-content; img-src * data: blob:; media-src * data: blob:; frame-ancestors https://supervisor.ext-twitch.tv https://extension-files.twitch.tv https://*.twitch.tv https://*.twitch.tech https://localhost.twitch.tv:* https://localhost.twitch.tech:* http://localhost.rig.twitch.tv:*; font-src https://{CLIENTID}.ext-twitch.tv https://fonts.googleapis.com https://fonts.gstatic.com; style-src 'self' 'unsafe-inline' https://{CLIENTID}.ext-twitch.tv https://fonts.googleapis.com; connect-src https: wss: https://www.google-analytics.com https://stats.g.doubleclick.net; script-src 'self' https://{CLIENTID}.ext-twitch.tv https://extension-files.twitch.tv https://www.google-analytics.com;

Where {CLIENTID} is the extension ClientID.

Can you please provide what the new “default” CSP will be for an extension that provides no entries for img-src, media-src or connect-src

This will allow developers to test more accurately in advance of the date.

Please also provide any changes to any other response headers that will be made to improve our testing.

Both of these (headers and CSP) should be documented in the documentation.

I would also like the “Get Extensions” API endpoint to be extended to provide the new CSP fields. As then my local test environment can auto fetch the settings from the API rather than I manually setting this in two places (leading to desync)

UserVoice here: Add CSP fields to Get Extensions – Twitch UserVoice

Will the required domains for Google Analytics be included by default? While I’m struggling to find specific documentation, I suspect connect-src is required, and possibly also img-src (which GA possibly uses as a fallback).
Alternatively I’d suggest that the required domains are added to the Google Analytics in Extensions documentation.

Finally, while the suggested addon works to test this, it would be nice if at some point closer to the cut-off date we can have Twitch turn this on for hosted test (maybe only for extensions that have added this?) just so we can validate it in our own time rather than having to scramble after January 2022 because the way Twitch parsed the URLs was incorrect or something like that.

I predict, yes, since these are already included in the current CSP. See my snippet in the prior post.
So the domains we provide will be added to the existing/default CSP.

So, we won’t have to specify self, googlefonts, analytics for example, as they need an additional CSP (for style-src, script-src) that we can’t add. So they should be incldued by default, in the other rules by Twitch