[BUG] Claude extension 1.0.68 logs recurring CSP + debugger + runtime errors
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
The Claude browser extension (v1.0.68) logs five recurring non-fatal error classes during both passive (idle) and active (MCP tool calls like navigate / click) use. The functional MCP browser bridge works correctly after OAuth scope refresh, but the extension error dialog fills with CSP violations and unhandled promise rejections every session.
What Should Happen?
The extension should not violate its own CSP (the bundle currently emits inline scripts and tries to load third-party scripts the extension's own script-src 'self' blocks). The Datadog SDK should load once, not twice.
Debugger detach calls should check chrome.runtime.lastError. Runtime messages should not fire against tabs where no receiver exists (e.g. chrome:// pages).
Error Messages/Logs
1. Executing inline script violates the following Content Security Policy
directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash
('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce
('nonce-...') is required to enable inline execution. The action has been
blocked.
2. Executing inline script violates the following Content Security Policy
directive 'script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules''.
Either the 'unsafe-inline' keyword, a hash
('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce
('nonce-...') is required to enable inline execution. The action has been
blocked.
3. Datadog Browser SDK: SDK is loaded more than once. This is unsupported and
might have unexpected behavior.
4. Loading the script 'https://cdn.segment.com/next-integrations/actions/ampli
tude-plugins/f12a4347e1080fb88155.js' violates the following Content Security
Policy directive: "script-src 'self'". Note that 'script-src-elem' was not
explicitly set, so 'script-src' is used as a fallback. The action has been
blocked.
5. Uncaught (in promise) Error: Could not establish connection. Receiving end
does not exist.
6. Unchecked runtime.lastError: Debugger is not attached to the tab with id:
<tabId>.
Also seen in CLI --debug output (not fatal, but likely a version drift):
[WARN] [Claude in Chrome] Unrecognized bridge message type: routing_ack
Separate root-cause note on why the extension appeared "not connected" before
the reproducer below: the cached OAuth token in Claude Code lacked the
user:profile scope, so the WS bridge
wss://bridge.claudeusercontent.com/chrome/<userId> rejected the handshake with
{"type":"error","error":"Invalid token or user mismatch"}. A forced claude
auth login refreshed scopes and the bridge paired in ~94ms. That was a silent
failure mode worth surfacing better in the error message.
Steps to Reproduce
- Install the Claude extension (Chrome Web Store, v1.0.68).
- Install Claude Code 2.1.116. Run
claude auth loginto ensure the OAuth token carries theuser:profilescope. (Older tokens cause a silent bridge handshake failure with "Invalid token or user mismatch".) - Open
chrome://extensions/→ Claude → Errors → Clear all. - In a Claude Code session with chrome integration enabled, call:
- mcp__claude-in-chrome__tabs_create_mcp
- mcp__claude-in-chrome__navigate (tabId, url: https://spencergoldade.ca)
- mcp__claude-in-chrome__find (tabId, query: "main navigation links")
- mcp__claude-in-chrome__computer (tabId, action: left_click, ref: <ref from find>)
- Return to
chrome://extensions/→ Claude → Errors. - Observe: all six error classes listed above, some fired multiple times.
Notes:
- Errors 1, 2, 3, 4 fire passively on extension load, independent of any MCP
call.
- Error 5 fires when the extension pings tabs where no content script is
injected (e.g. chrome://newtab).
- Error 6 fires on every
computer.left_clickvia thechrome.debuggerAPI.
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
n/a
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
- Extension ID: fcoeoabgfenejglbffodgkkbkcdhcgfn
- Extension version: 1.0.68 (git-hash.txt:
afad07eac99fba59beb298d6b2599940ba780889)
- Chrome: 147.0.7727.101
- Native messaging host: com.anthropic.claude_code_browser_extension, routed
through ~/.claude/chrome/chrome-native-host → claude --chrome-native-host
- Extension manifest CSP (extension_pages): "script-src 'self'; object-src
'self'; connect-src 'self' https://api.anthropic.com wss://api.anthropic.com
... https://.segment.com ... https://browser-intake-us5-datadoghq.com
wss://bridge.claudeusercontent.com ...; style-src 'self' 'unsafe-inline';
img-src 'self' data: https:; font-src 'self' data:;"
Suggested fixes (from the outside — minified bundle, not source):
- Errors 1/2: whitelist the inline script hash in
content_security_policy.extension_pages (hash is deterministic:
sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk=), or move that script to
an external file.
- Error 3: the bundle imports @datadog/browser-* twice; gate to a single init.
- Error 4: either add
https://cdn.segment.comtoscript-srcor disable
Segment's dynamic plugin loader for the extension build. connect-src already
permits Segment; script-src does not.
- Error 5: wrap
chrome.runtime.sendMessage/chrome.tabs.sendMessagecalls
with .catch(() => {}), or skip tabs whose URL starts with chrome://,
chrome-extension://, about:, edge://, devtools://.
- Error 6: check
chrome.runtime.lastErrorafter every
chrome.debugger.detach() call, or short-circuit when no prior attach is
recorded.
- Bridge: when
wss://bridge.claudeusercontent.com/chrome/<userId>returns
{"type":"error","error":"Invalid token or user mismatch"}, the CLI should
surface an "OAuth token missing required scope; please run claude auth" message instead of the generic "Browser extension is not connected"
login
hint (the extension IS connected; the CLI side is the one rejected).
- CLI: handle
routing_ackbridge messages to suppress the "Unrecognized
bridge message type" warning.
<img width="2576" height="1657" alt="Image" src="https://github.com/user-attachments/assets/1bc5afe3-514b-472f-97cd-4258882a5c12" />
<img width="2576" height="1373" alt="Image" src="https://github.com/user-attachments/assets/c9df205e-d0da-45aa-8441-788cd3350c07" />
<img width="1008" height="798" alt="Image" src="https://github.com/user-attachments/assets/49b8ef14-e479-48ed-8388-ab55ced68d82" />
<img width="984" height="154" alt="Image" src="https://github.com/user-attachments/assets/df1854d8-d110-4688-82b7-ef4557f2db9e" />
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗