Stats
Actions
Tags
From rad-chrome-extension
This skill should be used when working on security aspects of a Chrome extension or when the user asks about Chrome extension security best practices. Trigger when: implementing Content Security Policy in extensions, "extension CSP", "eval in extension", "content script security", "extension XSS", "remote code in extension", "MV3 security", "unsafe-eval", "content script isolation", "DOM safety in extension", "Trusted Types", "extension sandbox", "chrome extension security audit", "innerHTML in extension", "message validation".
How this skill is triggered — by the user, by Claude, or both
Slash command
/rad-chrome-extension:chrome-ext-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
MV3 enforces a strict security model. All executable code must be bundled locally. The Content Security Policy bans `eval()` and remote scripts. Content scripts operate in an isolated world but share a DOM with potentially hostile pages. The service worker is the trusted core — all messages from content scripts must be validated.
MV3 enforces a strict security model. All executable code must be bundled locally. The Content Security Policy bans eval() and remote scripts. Content scripts operate in an isolated world but share a DOM with potentially hostile pages. The service worker is the trusted core — all messages from content scripts must be validated.
All executable JavaScript must be bundled locally within the extension package. No fetching scripts from CDNs, no dynamically loaded SDKs. Violating this triggers Blue Argon CWS rejection.
These are banned in standard extension contexts:
eval()new Function(string)setTimeout(string) / setInterval(string)Escape hatches for legitimate needs:
userScripts API (Chrome 120+) for user script managerswasm-unsafe-eval in CSP for WebAssemblyDeclared as an object (not a string). No remote domains in script-src, worker-src, object-src, or style-src:
{
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'",
"sandbox": "sandbox allow-scripts; script-src 'self' 'unsafe-eval'"
}
}
Standard minification (whitespace removal, variable shortening) is allowed. Base64 encoding logic, character encoding to hide functionality, or other obfuscation triggers Red Titanium rejection.
Content scripts share an execution environment with potentially malicious web pages. The service worker must:
eval(), innerHTML, or other injection sinksWhen injecting UI into web pages:
textContent or innerText instead of innerHTML for textdocument.createElement() for DOM constructionfetch() calls are subject to host page CSPNPM packages may internally use eval() or new Function(). This violates MV3 CSP and causes CWS rejection. Audit dependencies for:
Isolate unavoidable dynamic code in sandboxed iframes.
references/csp-rules.md — Complete CSP configuration guide for MV3 extensionsreferences/dom-safety.md — Detailed DOM injection patterns, Trusted Types, and XSS preventionProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.
npx claudepluginhub radorigin-llc/rad-claude-skills --plugin rad-chrome-extension