Claude-in-Chrome extension: CSP blocks inline scripts, breaks native messaging
Resolved 💬 3 comments Opened Feb 11, 2026 by israelmirsky Closed Feb 15, 2026
Bug Report
The Claude browser extension (Chrome) fails to connect to Claude Code due to Content Security Policy violations in its own sidepanel.html.
Environment
- Claude Code: 2.1.39
- Chrome: 144.0.7559.133 (macOS)
- Extension ID: fcoeoabgfenejglbffodgkkbkcdhcgfn
Errors (from chrome://extensions → Inspect service worker)
CSP violation in sidepanel.html:
Executing inline script violates the following Content Security Policy directive 'script-src 'self''.
Either the 'unsafe-inline' keyword, a hash ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='),
or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
The inline script at sidepanel.html:8 (theme detection) is blocked by Chrome's CSP.
Native messaging failure:
Uncaught (in promise) Error: Could not establish connection. Receiving end does not exist.
Error: A listener indicated an asynchronous response by returning true,
but the message channel closed before a response was received
Steps to Reproduce
- Install Claude browser extension in Chrome
- Run Claude Code CLI (v2.1.39)
/mcpshows "Reconnected to claude-in-chrome" buttabs_context_mcpreturns "Browser extension is not connected"- Native messaging host at
~/.claude/chrome/chrome-native-hostexists and points to correct binary
Expected
Extension connects to Claude Code and mcp__claude-in-chrome__tabs_context_mcp returns tab info.
Actual
Extension's sidepanel fails to load due to CSP, native messaging bridge never establishes.
Notes
- The
sidepanel.htmlcontains an inline<script>for theme detection that Chrome's Manifest V3 CSP blocks - The native messaging host manifest and binary are correctly configured
- Toggling the extension, running
/mcp, and restarting Chrome did not resolve the issue
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗