web_accessible_resources

Type Array
Mandatory No
Manifest version 2 or higher
Example

json

"web_accessible_resources": [
  "images/my-image.png"
]

Description

Sometimes you want to package resources—for example, images, HTML, CSS, or JavaScript—with your extension and make them available to web pages and other extensions.

Note: Until Firefox 105, extensions could access resources packaged in other extensions by default. From Firefox 105 onwards, to enable other extensions to access an extension's resources they must be included in this key.

For example, the Beastify example extension replaces a web page with an image of a beast selected by the user. The beast images are packaged with the extension. To make the selected image visible, the extension adds <img> elements whose src attribute points to the beast's image. For the web page to be able to load the images, they must be made web accessible.

With the web_accessible_resources key, you list all the packaged resources that you want to make available to web pages. You specify them as paths relative to the manifest.json file.

Note that content scripts don't need to be listed as web accessible resources.

If an extension wants to use webRequest or declarativeNetRequest to redirect a public URL (e.g., HTTPS) to a page that's packaged in the extension, then the extension must list the page in the web_accessible_resources key.

Manifest V2 syntax

In Manifest V2, web accessible resources are added as an array under the key, like this:

json

"web_accessible_resources": [
  "images/my-image.png"
]

Manifest V3 syntax

In Manifest V3, the web_accessible_resources key is an array of objects like this:

json

{
  // …
  "web_accessible_resources": [
    {
      "resources": [ "test1.png", "test2.png" ],
      "matches": [ "https://web-accessible-resources-1.glitch.me/*" ]
    }, {
      "resources": [ "test3.png", "test4.png" ],
      "matches": [ "https://web-accessible-resources-2.glitch.me/*" ],
      "use_dynamic_url": true
    }
  ],
  // …
}

Each object must include a "resources" property and either a "matches" or "extension_ids" property from the following properties:

Name Type Description
extension_ids Array of String Optional. Defaults to [], meaning that other extensions cannot access the resource.

A list of extension IDs specifying the extensions that can access the resources. "*" matches all extensions.

matches Array of String Optional. Defaults to [], meaning that other websites cannot access the resource.

A list of URL match patterns specifying the pages that can access the resources. Only the origin is used to match URLs. Origins include subdomain matching. Paths must be set to /*.

resources Array of String An array of resources to be exposed. Resources are specified as strings and may contain * for wildcard matches. For example, "/images/*" exposes everything in the extension's /images directory recursively, while "*.png" exposes all PNG files.
use_dynamic_url Boolean Optional. Defaults to false.

Whether resources to be accessible through the dynamic ID. The dynamic ID is generated per session and regenerated on browser restart or extension reload.

Using web_accessible_resources

Suppose your extension includes an image file at images/my-image.png, like this:

my-extension-files/
    manifest.json
    my-background-script.js
    images/
        my-image.png

To enable a web page to use an <img> element whose src attribute points to this image, you would specify web_accessible_resources like this:

json

"web_accessible_resources": ["images/my-image.png"]

The file is then available using a URL like:

moz-extension://<extension-UUID>/images/my-image.png"

<extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed.

Note: In Chrome in Manifest V2, an extension's ID is fixed. When a resource is listed in web_accessible_resources, it is accessible as chrome-extension://<your-extension-id>/<path/to/resource>. In Manifest V3, Chrome can use a dynamic URL by setting use_dynamic_url to true.

The recommended approach to obtaining the URL of the resource is to use runtime.getURL passing the path relative to manifest.json, for example:

js

browser.runtime.getURL("images/my-image.png");
// something like:
// moz-extension://944cfddf-7a95-3c47-bd9a-663b3ce8d699/images/my-image.png

This approach gives you the correct URL regardless of the browser your extension is running on.

Wildcards

web_accessible_resources entries can contain wildcards. For example, the following entry would also work to include the resource at "images/my-image.png":

json

  "web_accessible_resources": ["images/*.png"]

Security

If you make a page web-accessible, any website may link or redirect to that page. The page should then treat any input (POST data, for example) as if it came from an untrusted source, just as a normal web page should.

Web-accessible extension resources are not blocked by CORS or CSP. Because of this ability to bypass security checks, extensions should avoid using web-accessible scripts when possible. A web-accessible extension script can unexpectedly be misused by malicious websites to weaken the security of other websites. Follow the security best practices by avoiding injection of moz-extension:-URLs in web pages and ensuring that third-party libraries are up to date.

Example

Manifest V2 example

json

"web_accessible_resources": ["images/my-image.png"]

Make the file at "images/my-image.png" web accessible to any website and extension.

Manifest V3 example

json

"web_accessible_resources": [
  {
    "resources": [ "images/my-image.png" ],
    "extension_ids": ["*"],
    "matches": [ "*://*/*" ]
  }
]

Make the file at "images/my-image.png" web accessible to any website and extension.

It is recommended to only specify extension_ids or matches if needed. For example, if the resource only needs to be accessible to web pages at example.com:

json

"web_accessible_resources": [
  {
    "resources": [ "images/my-image.png" ],
    "matches": [ "https://example.com/*" ]
  }
]

Example extensions

Browser compatibility

BCD tables only load in the browser