Manifest - Web Accessible Resources

An array of strings specifying the paths of packaged resources that are expected to be usable in the context of a web page. These paths are relative to the package root, and may contain wildcards. For example, an extension that injects a content script with the intention of building up some custom interface for example.com would allow any resources that interface requires (images, icons, stylesheets, scripts, etc.) as follows: 

{
  ...
  "web_accessible_resources": [
    "images/*.png",
    "style/double-rainbow.css",
    "script/double-rainbow.js",
    "script/main.js",
    "templates/*"
  ],
  ...
}

These resources would then be available in a webpage via the URL chrome-extension://[PACKAGE ID]/[PATH], which can be generated with the extension.getURL method. Allowlisted resources are served with appropriate CORS headers, so they're available via mechanisms like XHR.

A navigation from a web origin to an extension resource will be blocked unless the resource is listed as web accessible. Note these corner cases:

  • When an extension uses the webRequest or declarativeWebRequest APIs to redirect a public resource request to a resource that is not web accessible, such request is also blocked.
  • The above holds true even if the resource that is not web accessible is owned by the redirecting extension.

Content scripts themselves do not need to be allowlisted.

Prior to manifest version 2 all resources within an extension could be accessed from any page on the web. This allowed a malicious website to fingerprint the extensions that a user has installed or exploit vulnerabilities (for example XSS bugs) within installed extensions. Limiting availability to only resources which are explicitly intended to be web accessible serves to both minimize the available attack surface and protect the privacy of users.

Default Availability

Resources inside of packages using manifest_version 2 or above are blocked by default, and must be allowlisted for use via this property.

Resources inside of packages using manifest_version 1 are available by default, but if you do set this property, then it will be treated as a complete list of all allowlisted resources. Resources not listed will be blocked.