[BUG] Claude extension 1.0.68 logs recurring CSP + debugger + runtime errors

Resolved 💬 3 comments Opened Apr 21, 2026 by spencergoldade Closed Apr 25, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The Claude browser extension (v1.0.68) logs five recurring non-fatal error classes during both passive (idle) and active (MCP tool calls like navigate / click) use. The functional MCP browser bridge works correctly after OAuth scope refresh, but the extension error dialog fills with CSP violations and unhandled promise rejections every session.

What Should Happen?

The extension should not violate its own CSP (the bundle currently emits inline scripts and tries to load third-party scripts the extension's own script-src 'self' blocks). The Datadog SDK should load once, not twice.
Debugger detach calls should check chrome.runtime.lastError. Runtime messages should not fire against tabs where no receiver exists (e.g. chrome:// pages).

Error Messages/Logs

1. Executing inline script violates the following Content Security Policy     
  directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash     
  ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce
  ('nonce-...') is required to enable inline execution. The action has been     
  blocked.        

  2. Executing inline script violates the following Content Security Policy     
  directive 'script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules''.
  Either the 'unsafe-inline' keyword, a hash                                    
  ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce
  ('nonce-...') is required to enable inline execution. The action has been
  blocked.

  3. Datadog Browser SDK: SDK is loaded more than once. This is unsupported and
  might have unexpected behavior.

  4. Loading the script 'https://cdn.segment.com/next-integrations/actions/ampli
  tude-plugins/f12a4347e1080fb88155.js' violates the following Content Security
  Policy directive: "script-src 'self'". Note that 'script-src-elem' was not    
  explicitly set, so 'script-src' is used as a fallback. The action has been
  blocked.

  5. Uncaught (in promise) Error: Could not establish connection. Receiving end 
  does not exist.
                                                                                
  6. Unchecked runtime.lastError: Debugger is not attached to the tab with id:
  <tabId>.

  Also seen in CLI --debug output (not fatal, but likely a version drift):      
   
  [WARN] [Claude in Chrome] Unrecognized bridge message type: routing_ack       
                  
  Separate root-cause note on why the extension appeared "not connected" before 
  the reproducer below: the cached OAuth token in Claude Code lacked the
  user:profile scope, so the WS bridge                                          
  wss://bridge.claudeusercontent.com/chrome/<userId> rejected the handshake with
   {"type":"error","error":"Invalid token or user mismatch"}. A forced claude
  auth login refreshed scopes and the bridge paired in ~94ms. That was a silent
  failure mode worth surfacing better in the error message.

Steps to Reproduce

  1. Install the Claude extension (Chrome Web Store, v1.0.68).
  2. Install Claude Code 2.1.116. Run claude auth login to ensure the OAuth token carries the user:profile scope. (Older tokens cause a silent bridge handshake failure with "Invalid token or user mismatch".)
  3. Open chrome://extensions/ → Claude → Errors → Clear all.
  4. In a Claude Code session with chrome integration enabled, call:
  • mcp__claude-in-chrome__tabs_create_mcp
  • mcp__claude-in-chrome__navigate (tabId, url: https://spencergoldade.ca)
  • mcp__claude-in-chrome__find (tabId, query: "main navigation links")
  • mcp__claude-in-chrome__computer (tabId, action: left_click, ref: <ref from find>)
  1. Return to chrome://extensions/ → Claude → Errors.
  2. Observe: all six error classes listed above, some fired multiple times.

Notes:

  • Errors 1, 2, 3, 4 fire passively on extension load, independent of any MCP

call.

  • Error 5 fires when the extension pings tabs where no content script is

injected (e.g. chrome://newtab).

  • Error 6 fires on every computer.left_click via the chrome.debugger API.

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

n/a

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

  • Extension ID: fcoeoabgfenejglbffodgkkbkcdhcgfn
  • Extension version: 1.0.68 (git-hash.txt:

afad07eac99fba59beb298d6b2599940ba780889)

  • Chrome: 147.0.7727.101
  • Native messaging host: com.anthropic.claude_code_browser_extension, routed

through ~/.claude/chrome/chrome-native-host → claude --chrome-native-host

  • Extension manifest CSP (extension_pages): "script-src 'self'; object-src

'self'; connect-src 'self' https://api.anthropic.com wss://api.anthropic.com
... https://.segment.com ... https://browser-intake-us5-datadoghq.com
wss://bridge.claudeusercontent.com ...; style-src 'self' 'unsafe-inline';
img-src 'self' data: https:; font-src 'self' data:;"

Suggested fixes (from the outside — minified bundle, not source):

  • Errors 1/2: whitelist the inline script hash in

content_security_policy.extension_pages (hash is deterministic:
sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk=), or move that script to
an external file.

  • Error 3: the bundle imports @datadog/browser-* twice; gate to a single init.
  • Error 4: either add https://cdn.segment.com to script-src or disable

Segment's dynamic plugin loader for the extension build. connect-src already
permits Segment; script-src does not.

  • Error 5: wrap chrome.runtime.sendMessage / chrome.tabs.sendMessage calls

with .catch(() => {}), or skip tabs whose URL starts with chrome://,
chrome-extension://, about:, edge://, devtools://.

  • Error 6: check chrome.runtime.lastError after every

chrome.debugger.detach() call, or short-circuit when no prior attach is
recorded.

  • Bridge: when wss://bridge.claudeusercontent.com/chrome/<userId> returns

{"type":"error","error":"Invalid token or user mismatch"}, the CLI should
surface an "OAuth token missing required scope; please run claude auth
login
" message instead of the generic "Browser extension is not connected"
hint (the extension IS connected; the CLI side is the one rejected).

  • CLI: handle routing_ack bridge messages to suppress the "Unrecognized

bridge message type" warning.

<img width="2576" height="1657" alt="Image" src="https://github.com/user-attachments/assets/1bc5afe3-514b-472f-97cd-4258882a5c12" />
<img width="2576" height="1373" alt="Image" src="https://github.com/user-attachments/assets/c9df205e-d0da-45aa-8441-788cd3350c07" />
<img width="1008" height="798" alt="Image" src="https://github.com/user-attachments/assets/49b8ef14-e479-48ed-8388-ab55ced68d82" />
<img width="984" height="154" alt="Image" src="https://github.com/user-attachments/assets/df1854d8-d110-4688-82b7-ef4557f2db9e" />

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗