Chrome Extension CSP violation blocks sidepanel inline script - extension fails to load Chrome version Version 144.0.7559.110 (Official Build) (64-bit)
Bug Description
The Claude Chrome extension fails to load due to Content Security Policy (CSP) violations. The sidepanel has an inline script for theme detection that is blocked by Chrome's
extension CSP rules.
## Error Messages
Executing inline script violates the following Content Security Policy directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash
('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
Context: sidepanel.html?tabId=1677975118
Additional errors:
Loading the script 'https://cdn.segment.com/next-integrations/actions/amplitude-plugins/...' violates CSP directive: "script-src 'self'"Uncaught (in promise) Error: Could not establish connection. Receiving end does not exist.
## Root Cause
The inline script in sidepanel.html (lines 8-27) for theme detection violates Chrome's extension CSP:
```html
<script>
// Set initial theme mode based on system preference
(function () {
const isDark = window.matchMedia("(prefers-color-scheme: dark)").matches;
// ...
})();
</script>
Suggested Fix
Either:
- Move the inline script to an external .js file
- Add the script hash sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk= to the CSP in manifest.json
Environment
- Claude Code version: 2.1.23
- OS: Windows 11 (Build 22621)
- Chrome version: [Please check chrome://version and add here]
Steps to Reproduce
- Install Claude Chrome extension
- Install Claude Code CLI
- Run /chrome command in Claude Code
- Click "Reconnect extension"
- Chrome opens briefly then the sidepanel fails to load
Expected Behavior
The extension sidepanel should load and connect to Claude Code.
Actual Behavior
Chrome closes immediately after reconnection attempt. Extension shows CSP errors in console.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗