Skip to content
Latchkey

Manifest V3 CSP rejects 'unsafe-eval' in CI

Manifest V3 enforces a stricter Content Security Policy: 'unsafe-eval' and remote script-src values are not permitted in the content_security_policy.extension_pages directive. Declaring them fails validation.

What this error means

Validation reports that the content_security_policy value is insecure, naming 'unsafe-eval' or a remote source as not allowed in manifest version 3.

web-ext
MANIFEST_CSP
"content_security_policy.extension_pages": Insecure CSP value "'unsafe-eval'"
in directive "script-src".

Common causes

The CSP declares 'unsafe-eval'

A bundled dependency or dev config asked for eval, and the manifest CSP whitelisted 'unsafe-eval', which V3 forbids.

A remote script-src in the CSP

V3 requires scripts to be packaged locally; a remote host in script-src is rejected.

How to fix it

Remove 'unsafe-eval' and remote sources

  1. Drop 'unsafe-eval' from the extension_pages CSP.
  2. Configure the bundler to avoid eval (no eval-based source maps in production).
  3. Bundle any remote scripts locally instead of referencing them.
manifest.json
"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'self'"
}

Disable eval source maps in the production build

Some bundlers emit eval-wrapped code in dev mode; use a non-eval devtool for the extension build.

webpack.config.js
// webpack
module.exports = { devtool: 'source-map' };

How to prevent it

  • Never add 'unsafe-eval' to a V3 manifest CSP.
  • Use non-eval source maps for production extension builds.
  • Bundle all scripts locally.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →