In order to minimize disruption and accommodate recent Extension reviews, we have made a few updates to how and when the CSP policy will be enforced this week.
The CSP enforcement date has been moved by two days to Thursday, January 27 and should begin sometime between 11am-12pm PST.
If you have submitted an Extension review request before January 25 at 12pm PST, your Extension will continue to function without the new CSP enforcement until the review has been completed. When your review is completed, regardless of the outcome, you can expect CSP enforcement for your Extension no sooner than 2 business days from that time. If your review takes place after January 27,
Content-Security-Policy-Report-Only headers will be sent for the new policy and any potential refusals will be seen in the developer tools console of the browser loading the Extension.
If you submit an Extension review request after January 25 at 12pm PST, your Extension may not be reviewed before the CSP enforcement on January 27.
The original announcement is included below with only the enforcement date altered to reflect this update.
Since its launch, thousands of Extensions have delivered exciting and dynamic experiences to millions of creators and viewers on Twitch. As the Extensions framework allows a high level of flexibility, we must occasionally make technical and policy changes to ensure the security, privacy, and safety of our communities. Today we are announcing a new policy for Extensions for this reason:
2.12 You must provide all URLs that are fetched by the Extension front end on each version submission, this includes but is not limited to images, video, audio, and fetch/XHR requests.
Alongside this new policy, Extensions developers must now set three new fields in the metadata of their Extension, “Allowlist for Image Domains”, “Allowlist for Media Domains”, and “Allowlist for URL Fetching Domains”. These fields will be used to define the allowed domains in the CSP directives
connect-src respectively. With these fields, developers will be able to define the domains that images and media can be safely loaded from, and which HTTPS/WSS domains can be safely connected to.
Starting today, you can submit new Extension versions with these domain allowlists defined. On
Tuesday, January 25, 2022 Thursday, January 27, 2022, all Extensions will be rendered with CSP policy enforced to only allow resources from your domain allowlists. We are making this announcement today to allow you sufficient time to update your Extension.
If you have any questions about this change, please consult the FAQ below, and feel free to comment directly on this thread.
While your Extension is in Hosted Test, you can use a tool to modify the headers (e.g. SimplyModifyHeaders) to rewrite your local CSP rules to only allow your list of trusted domains. You will add your domains to the CSP directives img-src, media-src, and connect-src. More information on CSPs can be found here.
Any Extension that serves front-end resources outside of the uploaded asset package, or connects to a remote resource (XHR, WebSockets), will need to specify the trusted domains that will be used. If all of your front-end resources are included in your uploaded asset package, and your front end does not connect to a remote resource, you will not need to set anything in the domain allowlist fields.
As a general rule, we cannot allow base domains of public hosting services. For example, if you are serving assets out of Amazon Web Services S3, we cannot allow
https://s3.us-west-2.amazonaws.com, but we could allow the domain name that specifies your bucket: (e.g.,
Any requests to include or to connect to resources will be blocked by the CSP, with the exception of resources included in your asset package, served from Twitch’s CDN.