Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix [BUG] Claude extension 1.0.68 logs recurring CSP + debugger + runtime errors [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
anthropics/claude-code#51691Fetched 2026-04-22 07:55:27
View on GitHub
Comments
1
Participants
2
Timeline
5
Reactions
0
Author
spencergoldadespencergoldade
Participants
github-actions[bot]github-actions[bot]spencergoldadespencergoldade
Timeline (top)
labeled ×4commented ×1

Error Message

  1. Executing inline script violates the following Content Security Policy
    directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash
    ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce ('nonce-...') is required to enable inline execution. The action has been
    blocked.

  2. Executing inline script violates the following Content Security Policy
    directive 'script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules''. Either the 'unsafe-inline' keyword, a hash
    ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.

  3. Datadog Browser SDK: SDK is loaded more than once. This is unsupported and might have unexpected behavior.

  4. Loading the script 'https://cdn.segment.com/next-integrations/actions/ampli tude-plugins/f12a4347e1080fb88155.js' violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not
    explicitly set, so 'script-src' is used as a fallback. The action has been blocked.

  5. Uncaught (in promise) Error: Could not establish connection. Receiving end does not exist.

  6. Unchecked runtime.lastError: Debugger is not attached to the tab with id: <tabId>.

Also seen in CLI --debug output (not fatal, but likely a version drift):

[WARN] [Claude in Chrome] Unrecognized bridge message type: routing_ack

Separate root-cause note on why the extension appeared "not connected" before the reproducer below: the cached OAuth token in Claude Code lacked the user:profile scope, so the WS bridge
wss://bridge.claudeusercontent.com/chrome/<userId> rejected the handshake with {"type":"error","error":"Invalid token or user mismatch"}. A forced claude auth login refreshed scopes and the bridge paired in ~94ms. That was a silent failure mode worth surfacing better in the error message.

Code Example

1. Executing inline script violates the following Content Security Policy     
  directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash     
  ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce
  ('nonce-...') is required to enable inline execution. The action has been     
  blocked.        

  2. Executing inline script violates the following Content Security Policy     
  directive 'script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules''.
  Either the 'unsafe-inline' keyword, a hash                                    
  ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce
  ('nonce-...') is required to enable inline execution. The action has been
  blocked.

  3. Datadog Browser SDK: SDK is loaded more than once. This is unsupported and
  might have unexpected behavior.

  4. Loading the script 'https://cdn.segment.com/next-integrations/actions/ampli
  tude-plugins/f12a4347e1080fb88155.js' violates the following Content Security
  Policy directive: "script-src 'self'". Note that 'script-src-elem' was not    
  explicitly set, so 'script-src' is used as a fallback. The action has been
  blocked.

  5. Uncaught (in promise) Error: Could not establish connection. Receiving end 
  does not exist.
                                                                                
  6. Unchecked runtime.lastError: Debugger is not attached to the tab with id:
  <tabId>.

  Also seen in CLI --debug output (not fatal, but likely a version drift):      
   
  [WARN] [Claude in Chrome] Unrecognized bridge message type: routing_ack       
                  
  Separate root-cause note on why the extension appeared "not connected" before 
  the reproducer below: the cached OAuth token in Claude Code lacked the
  user:profile scope, so the WS bridge                                          
  wss://bridge.claudeusercontent.com/chrome/<userId> rejected the handshake with
   {"type":"error","error":"Invalid token or user mismatch"}. A forced claude
  auth login refreshed scopes and the bridge paired in ~94ms. That was a silent
  failure mode worth surfacing better in the error message.
RAW_BUFFERClick to expand / collapse

Preflight Checklist

  • I have searched existing issues and this hasn't been reported yet
  • This is a single bug report (please file separate reports for different bugs)
  • I am using the latest version of Claude Code

What's Wrong?

The Claude browser extension (v1.0.68) logs five recurring non-fatal error classes during both passive (idle) and active (MCP tool calls like navigate / click) use. The functional MCP browser bridge works correctly after OAuth scope refresh, but the extension error dialog fills with CSP violations and unhandled promise rejections every session.

What Should Happen?

The extension should not violate its own CSP (the bundle currently emits inline scripts and tries to load third-party scripts the extension's own script-src 'self' blocks). The Datadog SDK should load once, not twice. Debugger detach calls should check chrome.runtime.lastError. Runtime messages should not fire against tabs where no receiver exists (e.g. chrome:// pages).

Error Messages/Logs

1. Executing inline script violates the following Content Security Policy     
  directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash     
  ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce
  ('nonce-...') is required to enable inline execution. The action has been     
  blocked.        

  2. Executing inline script violates the following Content Security Policy     
  directive 'script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules''.
  Either the 'unsafe-inline' keyword, a hash                                    
  ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce
  ('nonce-...') is required to enable inline execution. The action has been
  blocked.

  3. Datadog Browser SDK: SDK is loaded more than once. This is unsupported and
  might have unexpected behavior.

  4. Loading the script 'https://cdn.segment.com/next-integrations/actions/ampli
  tude-plugins/f12a4347e1080fb88155.js' violates the following Content Security
  Policy directive: "script-src 'self'". Note that 'script-src-elem' was not    
  explicitly set, so 'script-src' is used as a fallback. The action has been
  blocked.

  5. Uncaught (in promise) Error: Could not establish connection. Receiving end 
  does not exist.
                                                                                
  6. Unchecked runtime.lastError: Debugger is not attached to the tab with id:
  <tabId>.

  Also seen in CLI --debug output (not fatal, but likely a version drift):      
   
  [WARN] [Claude in Chrome] Unrecognized bridge message type: routing_ack       
                  
  Separate root-cause note on why the extension appeared "not connected" before 
  the reproducer below: the cached OAuth token in Claude Code lacked the
  user:profile scope, so the WS bridge                                          
  wss://bridge.claudeusercontent.com/chrome/<userId> rejected the handshake with
   {"type":"error","error":"Invalid token or user mismatch"}. A forced claude
  auth login refreshed scopes and the bridge paired in ~94ms. That was a silent
  failure mode worth surfacing better in the error message.

Steps to Reproduce

  1. Install the Claude extension (Chrome Web Store, v1.0.68).
  2. Install Claude Code 2.1.116. Run claude auth login to ensure the OAuth token carries the user:profile scope. (Older tokens cause a silent bridge handshake failure with "Invalid token or user mismatch".)
  3. Open chrome://extensions/ → Claude → Errors → Clear all.
  4. In a Claude Code session with chrome integration enabled, call:
    • mcp__claude-in-chrome__tabs_create_mcp
    • mcp__claude-in-chrome__navigate (tabId, url: https://spencergoldade.ca)
    • mcp__claude-in-chrome__find (tabId, query: "main navigation links")
    • mcp__claude-in-chrome__computer (tabId, action: left_click, ref: <ref from find>)
  5. Return to chrome://extensions/ → Claude → Errors.
  6. Observe: all six error classes listed above, some fired multiple times.

Notes:

  • Errors 1, 2, 3, 4 fire passively on extension load, independent of any MCP
    call.
  • Error 5 fires when the extension pings tabs where no content script is injected (e.g. chrome://newtab).
  • Error 6 fires on every computer.left_click via the chrome.debugger API.

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

No response

Claude Code Version

n/a

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

  • Extension ID: fcoeoabgfenejglbffodgkkbkcdhcgfn
  • Extension version: 1.0.68 (git-hash.txt: afad07eac99fba59beb298d6b2599940ba780889)
  • Chrome: 147.0.7727.101
  • Native messaging host: com.anthropic.claude_code_browser_extension, routed
    through ~/.claude/chrome/chrome-native-host → claude --chrome-native-host
  • Extension manifest CSP (extension_pages): "script-src 'self'; object-src
    'self'; connect-src 'self' https://api.anthropic.com wss://api.anthropic.com
    ... https://*.segment.com ... https://browser-intake-us5-datadoghq.com wss://bridge.claudeusercontent.com ...; style-src 'self' 'unsafe-inline';
    img-src 'self' data: https:; font-src 'self' data:;"

Suggested fixes (from the outside — minified bundle, not source):

  • Errors 1/2: whitelist the inline script hash in content_security_policy.extension_pages (hash is deterministic:
    sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk=), or move that script to an external file.
  • Error 3: the bundle imports @datadog/browser-* twice; gate to a single init.
  • Error 4: either add https://cdn.segment.com to script-src or disable
    Segment's dynamic plugin loader for the extension build. connect-src already permits Segment; script-src does not.
  • Error 5: wrap chrome.runtime.sendMessage / chrome.tabs.sendMessage calls with .catch(() => {}), or skip tabs whose URL starts with chrome://,
    chrome-extension://, about:, edge://, devtools://.
  • Error 6: check chrome.runtime.lastError after every
    chrome.debugger.detach() call, or short-circuit when no prior attach is
    recorded.
  • Bridge: when wss://bridge.claudeusercontent.com/chrome/<userId> returns
    {"type":"error","error":"Invalid token or user mismatch"}, the CLI should
    surface an "OAuth token missing required scope; please run claude auth login" message instead of the generic "Browser extension is not connected"
    hint (the extension IS connected; the CLI side is the one rejected).
  • CLI: handle routing_ack bridge messages to suppress the "Unrecognized bridge message type" warning.
<img width="2576" height="1657" alt="Image" src="https://github.com/user-attachments/assets/1bc5afe3-514b-472f-97cd-4258882a5c12" /> <img width="2576" height="1373" alt="Image" src="https://github.com/user-attachments/assets/c9df205e-d0da-45aa-8441-788cd3350c07" /> <img width="1008" height="798" alt="Image" src="https://github.com/user-attachments/assets/49b8ef14-e479-48ed-8388-ab55ced68d82" /> <img width="984" height="154" alt="Image" src="https://github.com/user-attachments/assets/df1854d8-d110-4688-82b7-ef4557f2db9e" />

extent analysis

TL;DR

The most likely fix involves updating the Content Security Policy (CSP) in the extension's manifest to allow inline scripts or moving them to external files, and addressing the Datadog SDK import issue.

Guidance

  1. Update the CSP: Whitelist the inline script hash in content_security_policy.extension_pages or move the script to an external file to resolve errors 1 and 2.
  2. Fix Datadog SDK import: Gate the Datadog SDK import to a single initialization to prevent loading it twice, addressing error 3.
  3. Resolve Segment plugin issue: Add https://cdn.segment.com to script-src or disable Segment's dynamic plugin loader for the extension build to fix error 4.
  4. Handle runtime errors: Wrap chrome.runtime.sendMessage and chrome.tabs.sendMessage calls with .catch(() => {}) or skip tabs with URLs starting with chrome://, chrome-extension://, about:, edge://, or devtools:// to resolve error 5.
  5. Check for debugger detachment errors: Verify chrome.runtime.lastError after every chrome.debugger.detach() call to address error 6.

Example

To update the CSP, add the following line to the content_security_policy.extension_pages field in the extension's manifest:

"script-src 'self' 'sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='"

Notes

These steps are based on the provided error messages and may not be exhaustive. Further investigation may be required to fully resolve the issues.

Recommendation

Apply the suggested fixes, starting with updating the CSP and addressing the Datadog SDK import issue, as these seem to be the most critical problems.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#autograd error#model save/load#optimization#mixed precision

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

claude-code - 💡(How to fix) Fix [BUG] Claude extension 1.0.68 logs recurring CSP + debugger + runtime errors [1 comments, 2 participants]