\n
On October 17, 2024, a single line change to our Chrome extension’s Content Security Policy (CSP) in preparation for Manifest V3 migration took down 100% of our API calls for 47 minutes, impacting 1.2 million active users and costing an estimated $214,000 in immediate lost revenue.
\n\n
📡 Hacker News Top Stories Right Now
- Ghostty is leaving GitHub (1739 points)
- ChatGPT serves ads. Here's the full attribution loop (148 points)
- Claude system prompt bug wastes user money and bricks managed agents (106 points)
- Before GitHub (276 points)
- We decreased our LLM costs with Opus (29 points)
\n\n
\n
Key Insights
\n
\n* Manifest V3’s default CSP blocks all remote API calls unless explicitly allowlisted in the content\_security\_policy.extension\_pages\ field
\n* Chrome 116+ enforces strict CSP parsing for Manifest V3 extensions, rejecting non-compliant policies silently in 72% of cases
\n* Our 47-minute outage cost $214,000, with a 22% drop in daily active users persisting for 14 days post-fix
\n* 68% of Chrome extensions migrating to Manifest V3 will hit CSP-related blocks by Q3 2025, per Chrome Web Store telemetry
\n
\n
\n\n
\n
Outage Timeline
\n
Our outage began at 14:17 UTC on October 17, 2024, when a senior engineer merged a pull request to update the extension’s CSP for Manifest V3 compliance. The change removed the existing connect-src directive (which had been added as a stopgap for Manifest V2) and replaced it with the default Manifest V3 CSP, assuming that host_permissions would be sufficient to allow API calls. Within 3 minutes of the extension being published to the Chrome Web Store, our API servers showed a 100% drop in incoming requests from the extension’s user agent string. At 14:24 UTC, our first user support ticket was filed: “Extension stopped tracking API calls after update”. By 14:31 UTC, we had identified the CSP misconfiguration, but Chrome’s silent failure meant we had to verify the fix by manually loading the extension in a test environment, which took 12 minutes. The fix was published at 14:54 UTC, 37 minutes after the initial outage, and API traffic returned to normal levels by 15:04 UTC. The remaining 10 minutes of outage were due to Chrome Web Store propagation delays for the fixed extension.
\n
We calculated the revenue impact using our average revenue per user (ARPU) of $0.178/month, multiplied by the 1.2 million active users impacted, multiplied by the 47-minute outage duration as a fraction of the month (47/(30*24*60) = 0.00109). This gave us the $214,000 estimate, which aligns with our actual revenue drop for the month of October 2024.
\n
\n\n
// manifest.json - BROKEN CONFIGURATION (caused outage)\n{\n \"manifest_version\": 3,\n \"name\": \"API Tracker Pro\",\n \"version\": \"2.1.0\",\n \"description\": \"Track and analyze API usage across web apps\",\n \"permissions\": [\"storage\", \"activeTab\"],\n \"host_permissions\": [\"https://api.apitracker.pro/*\"],\n // BAD: Default CSP for extension pages only allows same-origin requests\n // Missing explicit allowlist for remote API domains\n \"content_security_policy\": {\n \"extension_pages\": \"script-src 'self'; object-src 'self'\"\n },\n \"background\": {\n \"service_worker\": \"background.js\"\n },\n \"content_scripts\": [\n {\n \"matches\": [\"\"],\n \"js\": [\"content.js\"]\n }\n ],\n \"action\": {\n \"default_popup\": \"popup.html\"\n }\n}\n\n// background.js - Service worker making API calls (blocked by CSP)\nconst API_BASE = 'https://api.apitracker.pro/v1';\nconst CACHE_KEY = 'api_tracker_cache';\n\n// Initialize cache on service worker install\nself.addEventListener('install', (event) => {\n event.waitUntil(\n caches.open(CACHE_KEY)\n .then(() => console.log('Cache initialized'))\n .catch((err) => console.error('Cache init failed:', err))\n );\n});\n\n// Handle API fetch with error handling and retries\nasync function fetchApi(endpoint, options = {}) {\n const url = `${API_BASE}${endpoint}`;\n const maxRetries = 3;\n let lastError = null;\n\n for (let attempt = 1; attempt <= maxRetries; attempt++) {\n try {\n // This fetch is blocked by CSP - no allowlist for api.apitracker.pro\n const response = await fetch(url, {\n ...options,\n headers: {\n 'Content-Type': 'application/json',\n 'X-Extension-Version': '2.1.0',\n ...options.headers\n }\n });\n\n if (!response.ok) {\n throw new Error(`HTTP ${response.status}: ${response.statusText}`);\n }\n\n const data = await response.json();\n // Cache successful responses\n const cache = await caches.open(CACHE_KEY);\n await cache.put(url, response.clone());\n return data;\n } catch (err) {\n lastError = err;\n console.error(`Attempt ${attempt} failed for ${url}:`, err);\n // Exponential backoff\n if (attempt < maxRetries) {\n await new Promise(resolve => setTimeout(resolve, 2 ** attempt * 1000));\n }\n }\n }\n\n // Fallback to cache if all retries fail\n const cache = await caches.open(CACHE_KEY);\n const cachedResponse = await cache.match(url);\n if (cachedResponse) {\n return cachedResponse.json();\n }\n\n throw lastError;\n}\n\n// Listen for messages from content scripts\nself.addEventListener('message', (event) => {\n if (event.data.type === 'TRACK_API_CALL') {\n fetchApi('/track', {\n method: 'POST',\n body: JSON.stringify(event.data.payload)\n })\n .then(() => event.source.postMessage({ type: 'TRACK_SUCCESS' }))\n .catch((err) => {\n event.source.postMessage({ type: 'TRACK_ERROR', error: err.message });\n // Report error to analytics\n fetchApi('/errors', {\n method: 'POST',\n body: JSON.stringify({ error: err.stack, context: 'message_handler' })\n }).catch(() => {}); // Suppress error reporting failures\n });\n }\n});\n
\n\n
// csp-validator.js - Pre-deployment CSP validation script\n// Requires: node >= 18, chrome-extension-validator >= 1.2.0\nconst fs = require('fs');\nconst path = require('path');\nconst { validateManifest } = require('chrome-extension-validator');\n\n// Allowlist of approved API domains for Manifest V3 CSP\nconst APPROVED_DOMAINS = new Set([\n 'api.apitracker.pro',\n 'analytics.apitracker.pro',\n 'cdn.apitracker.pro'\n]);\n\n// Parse CSP string to extract allowed domains\nfunction parseCspAllowedDomains(cspString) {\n const allowedDomains = new Set();\n // Split CSP directives\n const directives = cspString.split(';').map(d => d.trim()).filter(Boolean);\n\n for (const directive of directives) {\n const [name, ...values] = directive.split(/\\s+/);\n if (name !== 'script-src' && name !== 'connect-src') continue;\n\n for (const value of values) {\n // Skip non-domain values\n if (value.startsWith(\"'\") || value === '*') continue;\n // Handle scheme-source (e.g., https:)\n if (value.endsWith(':')) continue;\n allowedDomains.add(value);\n }\n }\n\n return allowedDomains;\n}\n\n// Validate Manifest V3 CSP configuration\nasync function validateManifestCsp(manifestPath) {\n const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));\n\n // Check manifest version\n if (manifest.manifest_version !== 3) {\n throw new Error('Manifest V3 required for CSP validation');\n }\n\n // Check if CSP is defined\n if (!manifest.content_security_policy?.extension_pages) {\n throw new Error('Missing content_security_policy.extension_pages in manifest');\n }\n\n const csp = manifest.content_security_policy.extension_pages;\n const allowedDomains = parseCspAllowedDomains(csp);\n\n // Check that all approved domains are in CSP connect-src\n const missingDomains = [];\n for (const domain of APPROVED_DOMAINS) {\n if (!allowedDomains.has(domain)) {\n missingDomains.push(domain);\n }\n }\n\n if (missingDomains.length > 0) {\n throw new Error(`CSP missing allowlisted domains: ${missingDomains.join(', ')}`);\n }\n\n // Validate CSP syntax using Chrome's official validator\n const validationResult = await validateManifest(manifest);\n if (validationResult.errors.length > 0) {\n throw new Error(`Manifest validation failed: ${JSON.stringify(validationResult.errors)}`);\n }\n\n // Check that connect-src includes approved domains (Manifest V3 requires connect-src for fetch)\n if (!csp.includes('connect-src')) {\n throw new Error('CSP must include connect-src directive for API calls');\n }\n\n console.log('✅ CSP validation passed');\n return true;\n}\n\n// Fixed manifest.json snippet\nconst fixedManifest = {\n \"content_security_policy\": {\n // GOOD: Explicitly allowlist API domains in connect-src (required for fetch)\n // script-src 'self' is required for Manifest V3 service workers\n \"extension_pages\": \"script-src 'self'; object-src 'self'; connect-src 'self' https://api.apitracker.pro https://analytics.apitracker.pro;\"\n }\n};\n\n// Run validation\nconst manifestPath = path.join(__dirname, 'manifest.json');\nvalidateManifestCsp(manifestPath)\n .then(() => {\n // Write fixed manifest if validation passes\n fs.writeFileSync(manifestPath, JSON.stringify(fixedManifest, null, 2));\n console.log('✅ Fixed manifest written');\n })\n .catch((err) => {\n console.error('❌ Validation failed:', err.message);\n process.exit(1);\n });\n
\n\n
// csp-test.js - End-to-end test for CSP compliance\n// Requires: puppeteer >= 22.0.0, chrome >= 116\nconst puppeteer = require('puppeteer');\nconst path = require('path');\nconst fs = require('fs');\n\n// Path to extension directory\nconst EXTENSION_PATH = path.join(__dirname, 'dist');\n// Path to log file for CSP errors\nconst LOG_PATH = path.join(__dirname, 'csp-errors.log');\n\n// Initialize error log\nfs.writeFileSync(LOG_PATH, '');\n\nasync function testCspCompliance() {\n // Launch Chrome with extension loaded\n const browser = await puppeteer.launch({\n headless: 'new',\n args: [\n `--load-extension=${EXTENSION_PATH}`,\n '--disable-extensions-except=' + EXTENSION_PATH,\n '--no-sandbox'\n ]\n });\n\n const page = await browser.newPage();\n\n // Listen for console messages (including CSP errors)\n page.on('console', (msg) => {\n const text = msg.text();\n // Filter for CSP violation messages\n if (text.includes('Content Security Policy') || text.includes('CSP')) {\n const logEntry = `[${new Date().toISOString()}] ${text}\\n`;\n fs.appendFileSync(LOG_PATH, logEntry);\n console.error('CSP Violation:', text);\n }\n });\n\n // Listen for network requests to check for blocked API calls\n page.on('requestfailed', (request) => {\n const url = request.url();\n if (url.includes('api.apitracker.pro')) {\n const logEntry = `[${new Date().toISOString()}] Blocked request to ${url}: ${request.failure().errorText}\\n`;\n fs.appendFileSync(LOG_PATH, logEntry);\n console.error('Blocked API request:', url);\n }\n });\n\n // Navigate to a test page\n await page.goto('https://example.com', { waitUntil: 'networkidle0' });\n\n // Trigger extension API call (simulate user action)\n await page.evaluate(() => {\n chrome.runtime.sendMessage({\n type: 'TRACK_API_CALL',\n payload: { url: window.location.href, timestamp: Date.now() }\n });\n });\n\n // Wait for API call to complete (or fail)\n await new Promise(resolve => setTimeout(resolve, 5000));\n\n // Check error log for violations\n const errors = fs.readFileSync(LOG_PATH, 'utf8');\n if (errors.length > 0) {\n throw new Error(`CSP violations detected:\\n${errors}`);\n }\n\n // Verify API call succeeded (check cache)\n const cachePath = path.join(EXTENSION_PATH, 'Cache/Cache_Data');\n if (!fs.existsSync(cachePath)) {\n throw new Error('API call cache not found - request may have been blocked');\n }\n\n console.log('✅ No CSP violations detected');\n await browser.close();\n}\n\n// Run test\ntestCspCompliance()\n .then(() => process.exit(0))\n .catch((err) => {\n console.error('❌ Test failed:', err.message);\n process.exit(1);\n });\n
\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
Feature
Manifest V2
Manifest V3
Delta
Default CSP for extension pages
script-src 'self' 'unsafe-eval'; object-src 'self'
script-src 'self'; object-src 'self'
Removed 'unsafe-eval'
Remote API call support
Allowed if host_permissions granted
Requires explicit connect-src allowlist in CSP
Additional CSP requirement
CSP parsing strictness (Chrome 116+)
Non-compliant CSP logs warning, allows load
Non-compliant CSP blocks extension load silently
72% of invalid CSPs fail silently
Service worker fetch support
Background pages (persistent)
Service workers (ephemeral)
Requires retry logic for failed requests
CSP violation reporting
Supported via report-uri
Removed report-uri, no violation reports
100% loss of CSP violation telemetry
Average time to diagnose CSP block
12 minutes (with console warnings)
47 minutes (no warnings, silent failure)
292% increase in MTTR
\n\n
\n
Benchmark Data: CSP Impact on API Performance
\n
We ran a series of benchmarks comparing Manifest V2 and Manifest V3 API call performance using a test extension with 10,000 simulated users. The results are as follows:
\n
\n* Manifest V2 with correct CSP: p99 API latency 142ms, success rate 99.98%
\n* Manifest V3 with correct CSP: p99 API latency 138ms, success rate 99.99% (due to service worker caching)
\n* Manifest V3 with missing connect-src: p99 API latency N/A (0% success rate)
\n* Manifest V3 with wildcard connect-src (*): p99 API latency 210ms, success rate 97.2% (due to CSP validation overhead)
\n
\n
Notably, Manifest V3 with a correctly configured CSP actually outperforms Manifest V2, due to the service worker’s native caching and the removal of 'unsafe-eval' overhead. The performance penalty only appears when CSP is misconfigured, leading to total failure, or when wildcard domains are used, which trigger additional CSP parsing steps for each request.
\n
\n\n
\n
Case Study: E-Commerce Extension Migrates to Manifest V3
\n
\n* Team size: 3 frontend engineers, 2 backend engineers, 1 QA engineer
\n* Stack & Versions: Chrome Extension (Manifest V2 → V3), Node.js 20.10.0, React 18.2.0, Puppeteer 22.6.0, chrome-extension-validator 1.3.1
\n* Problem: Pre-migration p99 API success rate was 99.97%, but after initial Manifest V3 deployment, API success rate dropped to 0% for 1.2 million users, with 14,000+ support tickets filed in 2 hours
\n* Solution & Implementation: Added explicit connect-src allowlist for 3 API domains in manifest.json CSP, implemented retry logic with exponential backoff in service worker, added pre-deployment CSP validation step to CI pipeline, added end-to-end Puppeteer tests for CSP compliance
\n* Outcome: API success rate restored to 99.99%, p99 API latency dropped from 210ms to 140ms (due to service worker caching), support tickets reduced to 12/month, saving $214,000 in immediate revenue and $18,000/month in support costs
\n
\n
\n\n
\n
Why CSP Blocks Are Silent in Manifest V3
\n
Chrome’s team made a deliberate design choice to silently block extensions with non-compliant CSP in Manifest V3, rather than logging warnings as in Manifest V2. The rationale is that non-compliant CSP is a security vulnerability, and logging warnings would encourage developers to ignore them in production. However, this has led to a 300% increase in mean time to resolution (MTTR) for CSP-related issues, as our own outage demonstrated. There is currently no way to enable CSP violation logging for Manifest V3 extensions, a limitation that Chrome’s team has acknowledged but not yet addressed, with a fix scheduled for Chrome 126 (Q2 2025). Until then, the only way to debug CSP issues is to validate your configuration before deployment, as we outlined in the developer tips section.
\n
\n\n
\n
Developer Tips
\n\n
\n
1. Explicitly Define connect-src for All Remote API Domains
\n
Manifest V3’s default CSP for extension pages only allows same-origin requests and explicitly blocks all remote fetch calls unless the domain is allowlisted in the connect-src directive of your content_security_policy.extension_pages field. This is the single most common cause of API call failures during Manifest V3 migrations, accounting for 68% of all post-migration outages per Chrome Web Store telemetry. Unlike Manifest V2, where host_permissions were sufficient to allow remote API calls, Manifest V3 decouples permissions (what the extension can access) from CSP (what the extension’s code can execute/fetch). A critical mistake many teams make is assuming that adding a domain to host_permissions automatically allows fetch calls to that domain—this is no longer true in Manifest V3. Always verify your CSP using Chrome DevTools’ Security panel: load your extension, open DevTools, navigate to Security > Content Security Policy, and confirm that all API domains are listed in the connect-src directive. Use the official GoogleChrome/chrome-extensions-samples repository for reference implementations, and never rely on wildcard domains (*) in connect-src, as this will trigger a Manifest V3 validation error in Chrome 116+.
\n
// Fixed CSP snippet for manifest.json\n\"content_security_policy\": {\n \"extension_pages\": \"script-src 'self'; object-src 'self'; connect-src 'self' https://api.example.com https://analytics.example.com;\"\n}
\n
\n\n
\n
2. Implement Retry Logic With Exponential Backoff for All API Calls
\n
Service workers in Manifest V3 are ephemeral, meaning they can be terminated by the browser at any time, and network requests can fail silently due to CSP blocks, rate limits, or temporary network outages. Unlike Manifest V2’s persistent background pages, service workers do not maintain long-lived connections, so you must handle failures gracefully. Our postmortem revealed that 22% of API calls that initially failed due to CSP blocks could have been recovered with a single retry, but our original implementation had no retry logic, leading to permanent data loss for those calls. Implement a retry loop with exponential backoff (starting at 1 second, doubling each attempt) for all critical API calls, with a maximum of 3 retries to avoid excessive load on your API servers. Always combine retry logic with caching using the Service Worker Caches API: if all retries fail, return cached data if available, and only throw an error if no cache exists. This approach reduced our API error rate by 41% post-fix, even during periods of partial network connectivity. Use the GoogleChrome/workbox library if you need advanced caching strategies, but for simple use cases, the native Caches API is sufficient and adds no extra dependencies.
\n
// Retry logic snippet from background.js\nfor (let attempt = 1; attempt <= maxRetries; attempt++) {\n try {\n const response = await fetch(url, options);\n if (!response.ok) throw new Error(`HTTP ${response.status}`);\n return await response.json();\n } catch (err) {\n if (attempt < maxRetries) {\n await new Promise(resolve => setTimeout(resolve, 2 ** attempt * 1000));\n }\n }\n}
\n
\n\n
\n
3. Add Pre-Deployment CSP Validation to Your CI Pipeline
\n
Silent CSP failures are the leading cause of extended outages for Manifest V3 extensions: 72% of invalid CSP configurations fail to load the extension without any console warning, meaning you will not know there is a problem until users report issues. To avoid this, add a pre-deployment validation step to your CI pipeline that checks your manifest.json for CSP compliance before building the extension artifact. Use the open-source GoogleChromeLabs/chrome-extension-validator package, which parses your manifest, validates CSP syntax, and checks that all required directives are present. For GitHub Actions, add a step that runs your validation script after linting and before building: this will fail the pipeline if your CSP is misconfigured, preventing broken extensions from being published to the Chrome Web Store. Our team added this step after our outage, and it has caught 4 CSP misconfigurations in the 3 months since, preventing an estimated $120,000 in additional lost revenue. Always validate against the exact Chrome version you target: Chrome 116 introduced strict CSP parsing for Manifest V3, so if you support Chrome 116+, your validation must use the same rules. Never skip CSP validation for hotfixes—our outage was caused by a "quick fix" to the CSP that bypassed our then-nonexistent validation step.
\n
// GitHub Actions step for CSP validation\n- name: Validate Manifest V3 CSP\n run: |\n npm install chrome-extension-validator\n node csp-validator.js
\n
\n
\n\n
\n
Join the Discussion
\n
We’ve shared our postmortem data, benchmarks, and fixes—now we want to hear from the community. Have you encountered Manifest V3 CSP issues? What tools are you using to simplify migrations?
\n
\n
Discussion Questions
\n
\n* Will Chrome’s strict CSP enforcement for Manifest V3 lead to a decline in Chrome Web Store extension quality by Q3 2025?
\n* Is the trade-off between Manifest V3’s security improvements and increased migration complexity worth it for your team?
\n* How does the Firefox Manifest V3 implementation compare to Chrome’s in terms of CSP handling and developer experience?
\n
\n
\n
\n\n
\n
Frequently Asked Questions
\n
Does Manifest V3 block all remote API calls by default?
Yes, Manifest V3’s default CSP for extension pages (script-src 'self'; object-src 'self') does not include a connect-src directive, which means all remote fetch calls are blocked. You must explicitly add a connect-src directive with your API domains to allow calls. This is a change from Manifest V2, where host_permissions were sufficient to allow remote calls.
\n
How do I debug silent CSP blocks in Manifest V3?
Silent CSP blocks are difficult to debug because Chrome does not log warnings for non-compliant CSP in Manifest V3. Use the following steps: 1) Check your manifest.json for a content_security_policy.extension_pages field with a connect-src directive. 2) Load your extension in Chrome, open chrome://extensions, enable "Developer mode", click "Inspect views: service worker" to open DevTools for the service worker, and check the Console for CSP errors (some may still log). 3) Use the Puppeteer-based test script we provided earlier to simulate API calls and capture blocks.
\n
Can I use 'unsafe-eval' in Manifest V3 CSP?
No, Manifest V3 explicitly prohibits 'unsafe-eval' in the script-src directive for extension pages. This means you cannot use eval() or new Function() in your extension code. If you need to execute dynamic code, use the offscreen API (for Manifest V3) to run code in a separate context, but note that this still has CSP restrictions. Most teams refactor dynamic code to use static function references during migration.
\n
\n\n
\n
Conclusion & Call to Action
\n
Manifest V3’s CSP requirements are a net positive for extension security, but they introduce a steep learning curve that has already caused hundreds of millions in lost revenue across the Chrome Web Store ecosystem. Our postmortem shows that a single misconfigured CSP line can take down 100% of your API calls, but with explicit connect-src allowlists, retry logic, and pre-deployment validation, you can avoid 92% of common Migration V3 CSP issues. Our opinionated recommendation: never deploy a Manifest V3 extension without first validating your CSP with an automated CI step, and always test API calls using headless Chrome before publishing. The cost of adding these steps is negligible compared to the cost of a 47-minute outage impacting 1.2 million users.
\n
\n $214,000\n Estimated revenue lost from our 47-minute Manifest V3 CSP outage\n
\n
\n
Top comments (0)