[BUG] Claude-in-Chrome extension blocked by CSP - inline script violation

Resolved 💬 3 comments Opened Jan 27, 2026 by EmircanDemirTR Closed Jan 31, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Chrome extension fails with CSP error:

  • Inline script in sidepanel.html blocked
  • Error: "Executing inline script violates CSP directive 'script-src 'self''"
  • Extension needs to use hash/nonce or external script file

What Should Happen?

Chrome extension fails with CSP error:

  • Inline script in sidepanel.html blocked
  • Error: "Executing inline script violates CSP directive 'script-src 'self''"
  • Extension needs to use hash/nonce or external script file

Error Messages/Logs

Steps to Reproduce

xecuting inline script violates the following Content Security Policy directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
sidepanel.html?tabId=402929960:8
Executing inline script violates the following Content Security Policy directive 'script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules''. Either the 'unsafe-inline' keyword, a hash ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
Main-DIS361Sg.js:20
Loading the script 'https://cdn.segment.com/next-integrations/actions/amplitude-plugins/01d0dcc….js' violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The action has been blocked.
Main-DIS361Sg.js:20
Loading the script 'https://cdn.segment.com/next-integrations/actions/amplitude-plugins/01d0dcc….js' violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The action has been blocked.
sidepanel-yURUk1gX.js:12
Uncaught (in promise) Error: Could not establish connection. Receiving end does not exist.
mcpPermissions-juDHLu3j.js:3
Uncaught (in promise) Error: Could not establish connection. Receiving end does not exist.

Press ctrl i to turn on code suggestions. Press ctrl x to disable code suggestions.
ctrl
i
 to turn on code suggestions. Don't show again

Executing inline script violates the following Content Security Policy directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
Bağlamsidepanel.html?tabId=402929960Yığın İzleme
sidepanel.html?tabId=402929960:8 (anonim işlev)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<!doctype html>
<html lang="en" data-theme="claude">
<head>
<meta charset="UTF-8" />
<link rel="icon" type="image/svg+xml" href="/icon-128.png" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Claude for Chrome</title> <script>
// Set initial theme mode based on system preference
(function () {
const isDark = window.matchMedia(
"(prefers-color-scheme: dark)",
).matches;
document.documentElement.setAttribute(
"data-mode",
isDark ? "dark" : "light",
);
// Listen for system theme changes
window
.matchMedia("(prefers-color-scheme: dark)")
.addEventListener("change", (e) => {
document.documentElement.setAttribute(
"data-mode",
e.matches ? "dark" : "light",
);
});
})();
</script>
<script type="module" crossorigin src="/assets/sidepanel-yURUk1gX.js"></script>
<link rel="modulepreload" crossorigin href="/assets/permissions-BsMI2TUG.js">
<link rel="modulepreload" crossorigin href="/assets/Main-DIS361Sg.js">
<link rel="modulepreload" crossorigin href="/assets/client-BLU1RtqI.js">
<link rel="modulepreload" crossorigin href="/assets/SentryService-Bpayo6Ny.js">
<link rel="modulepreload" crossorigin href="/assets/mcpPermissions-juDHLu3j.js">
<link rel="modulepreload" crossorigin href="/assets/ModelSelector-GDUcHpDy.js">
<link rel="modulepreload" crossorigin href="/assets/punycode.es6-BmPUeujg.js">
<link rel="modulepreload" crossorigin href="/assets/datadog-BkLmkJ5p.js">
<link rel="stylesheet" crossorigin href="/assets/Main-BWmGWfNh.css">
<link rel="stylesheet" crossorigin href="/assets/sidepanel-CD1qrI1T.css">
</head>
<body>
<div id="root"></div>
</body>
</html>

Executing inline script violates the following Content Security Policy directive 'script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules''. Either the 'unsafe-inline' keyword, a hash ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.

Loading the script 'https://cdn.segment.com/next-integrations/actions/amplitude-plugins/01d0dcccc64ec8f9523a.js' violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The action has been blocked.

Loading the script 'https://cdn.segment.com/next-integrations/actions/amplitude-plugins/01d0dcccc64ec8f9523a.js' violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The action has been blocked.

Uncaught (in promise) Error: Could not establish connection. Receiving end does not exist.

Uncaught (in promise) Error: Could not establish connection. Receiving end does not exist.

Claude Model

Not sure / Multiple models

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

Code

Platform

Other

Operating System

Windows

Terminal/Shell

PowerShell

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗