Since its launch, thousands of Extensions have delivered exciting and dynamic experiences to millions of creators and viewers on Twitch. As the Extensions framework allows a high level of flexibility, we must occasionally make technical and policy changes to ensure the security, privacy, and safety of our communities. Today we are announcing a new policy for Extensions for this reason:
2.12 You must provide all URLs that are fetched by the Extension front end on each version submission, this includes but is not limited to images, video, audio, and fetch/XHR requests.
Alongside this new policy, Extensions developers must now set three new fields in the metadata of their Extension, “Allowlist for Image Domains”, “Allowlist for Media Domains”, and “Allowlist for URL Fetching Domains”. These fields will be used to define the allowed domains in the CSP directives
connect-src respectively. With these fields, developers will be able to define the domains that images and media can be safely loaded from, and which HTTPS/WSS domains can be safely connected to.
Starting today, you can submit new Extension versions with these domain allowlists defined. On Tuesday, January 25, 2022, all Extensions will be rendered with CSP policy enforced to only allow resources from your domain allowlists. We are making this announcement today to allow you sufficient time to update your Extension.
If you have any questions about this change, please consult the FAQ below, and feel free to comment directly on this thread.
While your Extension is in Hosted Test, you can use a tool to modify the headers (e.g. SimplyModifyHeaders) to rewrite your local CSP rules to only allow your list of trusted domains. You will add your domains to the CSP directives img-src, media-src, and connect-src. More information on CSPs can be found here.
Any Extension that serves front-end resources outside of the uploaded asset package, or connects to a remote resource (XHR, WebSockets), will need to specify the trusted domains that will be used. If all of your front-end resources are included in your uploaded asset package, and your front end does not connect to a remote resource, you will not need to set anything in the domain allowlist fields.
As a general rule, we cannot allow base domains of public hosting services. For example, if you are serving assets out of Amazon Web Services S3, we cannot allow
https://s3.us-west-2.amazonaws.com, but we could allow the domain name that specifies your bucket: (e.g.,
Any requests to include or to connect to resources will be blocked by the CSP, with the exception of resources included in your asset package, served from Twitch’s CDN.