Firefox browser loads with a content-security-policy that includes chrome-extension://iaii...* and http://localhost:*

We create profiles of websites for firewall rules, and we have some questions about chatgpt .com content-security-policy.

When I load chatgpt .com through Firefox, I get the following content-security-policy

I am surprised by the inclusion of some of resources like:

  • http://*
  • http:// localhost:*
  • frame-ancestors chrome-extension://iaiigpefkbhgjcmcmffmfkpmhemdhdnj
  • https:// docs. google .com
  • https:// drive-thirdparty .googleusercontent .com

Is it unsafe to allow a connection to http ://* and http :// localhost:* (man in the middle attacks)?

Why rely in a browser’s specific platform (i.e., chrome-extension://iaiigpefkbhgjcmcmffmfkpmhemdhdnj)?

P.S. I was disabled from posting the content-security-policy (links are not allowed), so here I shared a picture of the policy broken down by section and highlights (chatgtp has helped me pull the text from images). Also, I merged two images because I got the error that new users can post only one image

1 Like

For Google Drive and third-party, the service connects with Google Drive to share files. This is an option that some people have access to enable to link to their own Google account.

Thanks for reporting the other stuff, as you are such a new user you have limited permissions on links and images, but if you are around for longer you get more permissions.