The “Refused to Load the Script” Nightmare
You build a Chrome extension. Everything works perfectly during development. The popup works, the content scripts work, and the API calls behave exactly how you expected.
Then you upload the extension to the Chrome Web Store and suddenly your extension throws:
Refused to load the script 'https://cdn.example.com/script.js' because it violates the following Content Security Policy directive: "script-src 'self'"
Or worse — your extension gets rejected completely.
Manifest V3 Blocks Aggressive Script Execution
Blocked by MV3
- External CDN scripts
- Inline JavaScript
- eval()
- new Function()
- Dynamic remote code execution
Quick Fixes
- Bundle JavaScript locally
- Use production builds
- Remove inline scripts
- Disable eval-based source maps
- Avoid remote script injection
What Is Content Security Policy (CSP)?
Content Security Policy is a browser security mechanism that controls what JavaScript can execute and where scripts can load from.
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'"
}| Allowed | Blocked |
|---|---|
| Local bundled scripts | CDN scripts |
| Static imports | Inline scripts |
| Service workers | Dynamic execution |
| Extension assets | Remote executable code |
Most Common Mistakes That Cause CSP Errors
External CDN Scripts
Using external <script src='https://...'> inside extension pages.
Inline JavaScript
Using inline <script> tags or onclick handlers in popup HTML.
eval() & new Function()
Bundlers inject eval-based source maps that violate MV3 CSP.
Analytics SDKs
Third-party analytics often dynamically load remote scripts.
Remote Script Injection
Injecting scripts from external URLs into webpages.
Why Extensions Work Locally But Fail After Packaging
During development, tools like Vite and Webpack inject scripts, use eval-based source maps, and allow localhost behavior that works temporarily.
After packaging, Manifest V3 applies strict CSP rules and Chrome reviewers scan the built output directly.
// NEVER use in MV3 production builds
devtool: 'eval'
// Correct configuration
module.exports = {
mode: 'production',
devtool: 'source-map'
}How Chrome Reviewers Detect These Problems
Chrome Web Store review is heavily automated. Google uses static analysis systems that scan extension packages for unsafe patterns.
- eval(
- new Function(
- unsafe-eval
- external scripts
- remote loaders
- obfuscated code
- suspicious permissions
The Complete MV3 CSP Fix Checklist
Best Practices for Manifest V3 Development
Bundle everything locally
Prevents remote execution and policy violations.
Never use eval()
Chrome treats eval usage as a major security risk.
Avoid inline JavaScript
Inline execution violates MV3 Content Security Policy.
Build in production mode
Prevents eval-based source maps from appearing in builds.
Validate before submission
Catch rejection triggers before reviewers do.
FAQ
Why does Manifest V3 block external scripts?
Because remote scripts can change extension behavior after review, making extensions unsafe.
Can Chrome extensions use CDN JavaScript?
No. Manifest V3 blocks remotely hosted executable scripts.
Is eval() allowed in Chrome extensions?
No. eval() and new Function() violate MV3 CSP rules.
Why does my extension work locally but fail in production?
Development builds often inject eval-based code or localhost scripts that are blocked in production.
How can I avoid Chrome Web Store rejection cycles?
Validate your extension before submission using automated MV3 validation tools.
Related Articles
Explore more Chrome extension development and Manifest V3 guides.
Why Did My Chrome Extension Get Rejected?
Learn the most common Chrome Web Store rejection reasons and Manifest V3 policy mistakes.
Behind the Curtain: How Google Reviews Chrome Extensions
You clicked submit. Now you wait. Here's exactly what happens inside Google's Chrome extension review pipeline — the automated scanner, what triggers a human reviewer, the four policies every submission is judged against, and why some bad extensions still slip through.
Chrome Extension Authenticator: The Complete Guide
A Chrome extension authenticator is a browser-based tool that generates Time-based One-Time Passwords (TOTP) or handles push authentication directly within Chrome. Instead of reaching for your phone, unlocking it, opening an app, and typing a code, the extension puts 2FA one click away — right in your browser toolbar.
Chrome Extensions Are the Most Underrated Startup Opportunity Right Now
Everyone wants to build the next unicorn SaaS. They raise millions, hire 50 people, burn cash for 18 months, and pray for product-market fit.Meanwhile, a quiet group of founders is building profitable, sustainable businesses with one developer, zero funding, and a Chrome extension that solves a single painful problem.
Validate Your Extension Before Submission
ExtGuard is a complete Chrome extension building pipeline. Generate extension ideas, build production-ready extensions, validate Manifest V3 compliance, detect CSP violations, scan permissions, and prevent Chrome Web Store rejection risks — all in one workflow before you ever submit your extension.