I’m working on a Chrome extension and wanted to load scripts from localhost for development. So I updated the manifest file to have the following line:

"content_security_policy": "script-src 'self' http://localhost; object-src 'self'",

According to the doc on Content Security Policy, it’s perfectly fine to use localhost or 127.0.0.1 without https.

However, I get the following (taunting) error message when I try to load the extension from chrome://chrome/extensions/:

Could not load extension from ‘/Users/Tim/Desktop/temp/test’. Invalid value for ‘content_security_policy’: Both ‘script-src’ and ‘object-src’ directives must be specified (either explicitly, or implicitly via ‘default-src’), and both must whitelist only secure resources. You may include any of the following sources: “‘self'”, “‘unsafe-eval'”, “http://127.0.0.1”, “http://localhost”, or any “https://” or “chrome-extension://” origin. For more information, see http://developer.chrome.com/extensions/contentSecurityPolicy.html

To confirm the problem, you can create an empty directory with the following manifest.json file:

{
  "name": "Example extension",
  "description": "Trying to demonstrate a bug in Chrome",
  "version": "0.1",
  "homepage_url": "http://example.com",
  "content_security_policy": "script-src 'self' http://localhost; object-src 'self'",

  "manifest_version": 2
}

and load the directory as an unpacked extension. You should be getting the error. If you remove http://localhost or change it to https://localhost, it will load fine.

Am I missing something?

(NB: I’m using Chrome 22.0.1229.79)

Thanks!