[BUG] Chrome extension sidepanel fails to load on Chrome 145 due to inline script CSP violation

Resolved 💬 3 comments Opened Feb 15, 2026 by torfinnberset Closed Feb 15, 2026

Bug Description

The Claude Chrome extension (v1.0.50) fails to initialize its side panel on Chrome 145. Chrome blocks the inline <script> in sidepanel.html with:

Executing inline script violates the following Content Security Policy directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce ('nonce-...') is required to enable inline execution.

Because the side panel JS never loads, connectNative() is never called, so the native messaging host is never launched and Claude Code reports "Extension: Not detected".

The same inline theme-init script exists in newtab.html, options.html, and pairing.html.

Steps to Reproduce

  1. Install Chrome 145 (currently stable)
  2. Install Claude extension (v1.0.50)
  3. Open the Claude side panel
  4. Observe CSP error in DevTools console for sidepanel.html:8
  5. Run /chrome in Claude Code → "Extension: Not detected"

Workaround

Extract the inline script to an external file and load the extension unpacked:

  1. Copy the installed extension to a writable location:

``bash
cp -r ~/.config/google-chrome/Default/Extensions/fcoeoabgfenejglbffodgkkbkcdhcgfn/<version> \
~/.claude/chrome-ext-patched
``

  1. Create theme-init.js with the contents of the inline script block
  1. In all four HTML files (sidepanel.html, newtab.html, options.html, pairing.html), replace:

``html
<script>
// Set initial theme mode based on system preference
(function () { ... })();
</script>
`
with:
`html
<script src="/theme-init.js"></script>
``

  1. Remove update_url from manifest.json (required for unpacked loading)
  1. Disable the store extension, load the patched directory as an unpacked extension

Fix

Move the inline theme-detection script in the extension's HTML files to an external .js file. The extension's own CSP already specifies script-src 'self', which allows external scripts from the extension origin but blocks inline scripts.

Environment Info

  • Chrome: 145.0.7632.75 (Flatpak, but the CSP issue is not Flatpak-specific)
  • Extension: 1.0.50
  • Claude Code: 2.1.42
  • Platform: Linux (Bazzite/Fedora 43)

Related Issues

  • #15587 — Flatpak Chrome integration (separate sandbox/path issues)

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗