Content Security Policy Guide

Browsers enforce a set of content security policies on websites, and an add-on is no different. You may specify your own subset of a security policy in your app manifest (manifest.json) via the content_security_policy field.

{
    "content_security_policy": {
        "connect-src": [
            "https://api.example.com/a_specific_endpoint",
            "https://api.example.com/a_whole_subdirectory/",
            "https://example.com/"
        ],
        "img-src": ["https://example.com/images/"]
    }
}

We currently support two fields:

connect-src
img-src