I'm building a chrome extension and facing a problem related to csp. I'm using manifest V3

below is my csp

 "content_security_policy": { 
      "extension_pages": "script-src 'self' 'unsafe-inline' 'https://cdn.jsdelivr.net/'; object-src 'self'"
    }

I'm using alpine.js in my code and wanted to run it. It was running in v2 but I'm not able to get it working in manifest v3.

Thanks

Please see the Migrating to Manifest V3 (mv3).

Scripts from external domains are not allowed in mv3, all scripts must be included into extension package.

"extension_pages": - this policy covers pages in your extension, including HTML files and service workers. These page types are served from the chrome-extension:// protocol. For instance, a page in your extension is chrome-extension://<extension-id>/foo.html.

Therefore https://cdn.jsdelivr.net/ is a wrong source for CSP in mv3. BTW, host-sources like 'https://cdn.jsdelivr.net/' shouldn't be single-quoted in CSP

"I'm not able to get it working in manifest v3" is not a technical description of problem. If something fails to work, there should be diagnostic messages in the console.

As @granty wrote it's not allowed to use external scripts in Manifest v3.

Even if Alpine.js is included as a local js file it seems that it is using eval(), which is prohibited by manifest v3 as well. It's allowed in sandboxed pages only (should be explicitly listed in the manifest), but such pages have some restrictions (like disabled extensions API)

    "sandbox": {
        "pages": ["awesome_alpine.html"]
    },

https://developer.chrome.com/docs/extensions/mv3/mv3-migration/#content-security-policy https://developer.chrome.com/docs/extensions/mv3/sandboxingEval/

I faced similar problem and opted to use a js interpreter sval. You can do pretty much everything and it kind of defeats the purpose of "security" defined in manifest v3!