Web-accessible resources are files inside an extension that can be accessed by web pages or otherextensions. Extensions typically use this feature to expose images or other assets that need to beloaded in web pages, but any asset included in an extension's bundle can be made web accessible.

By default no resources are web accessible, as this allows a malicious website tofingerprint extensions that a user has installedor exploit vulnerabilities (for exampleXSS bugs) in installed extensions. Only pages or scripts loaded from an extension's origincan access that extension's resources.

Manifest declaration

Use theweb_accessible_resources manifest property to declare which resources are exposed and towhat origins. This property is an array of objects that declares resource access rules. Each objectmaps an array of extension resources to an array of URLs and/or extension IDs that can access those resources.

{..."web_accessible_resources":[{"resources":["test1.png","test2.png"],"matches":["https://web-accessible-resources-1.glitch.me/*"]},{"resources":["test3.png","test4.png"],"matches":["https://web-accessible-resources-2.glitch.me/*"],"use_dynamic_url":true}],...}

Each object in the array contains these elements:

"resources"

An array of strings, each containing a relative path to a given resource from the extension's root directory. Resources may contain asterisks (*) for wildcard matches. For example,"/images/*" exposes everything in the extension'simages/ directory, recursively, while"*.png" exposes all PNG files.

"matches"

An array of strings, each containing amatch pattern that specifies which sites can access this set of resources. Only the origin is used to match URLs. Origins include subdomain matching. Google Chrome emits an "Invalid match pattern" error if the pattern has a path other than '/*'.

"extension_ids"

An array of strings, each containing the ID of an extension that can access the resources.

"use_dynamic_url"

If true, only allow resources to be accessed through a dynamic ID. A dynamic ID is generated per session. That means it is regenerated when the browser restarts or the extension reloads.

Each element must include a"resources" element and either a"matches" or"extension_ids" element. This establishes a mapping that exposes the specified resources to either web pages matching the pattern or to extensions with matching IDs. The"use_dynamic_url" element is optional.

Navigability of resources

Resources are available in a webpage via the URLchrome-extension://[PACKAGE ID]/[PATH], which can be generated with theruntime.getURL()method. The resources are served with appropriateCORS headers, so they're availableviafetch().

A navigation from a web origin to an extension resource is blocked unless the resource islisted as web accessible. Note these corner cases:

• When an extension uses thewebRequest API to redirect a publicresource request to a resource that is not web accessible, such a request is also blocked.
• The above holds true even if the resource that is not web accessible is owned by the redirectingextension.
• Navigation is blocked in incognito mode unless the value of the"incognito" field is set to"split".

Content scripts themselves do not need to be allowed.

Example

TheWeb Accessible Resources example demonstrates the use of this element in a working extension.