diff --git a/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md b/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
index f2717c62cd25892..f4f49fd40f9fdff 100644
--- a/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
+++ b/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
@@ -6,7 +6,7 @@ tags:
---
{{AddonSidebar}}
-Extensions developed with WebExtension APIs have a Content Security Policy (CSP) applied to them by default. This restricts the sources from which they can load [\
@@ -66,7 +68,7 @@ Under the default CSP you may only load [\"`:
@@ -178,13 +175,7 @@ Allow the inline script: `""`:
"content_security_policy": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"
```
-- Manifest V3
-
- ```json
- "content_security_policy": {
- "extension_pages": "script-src 'self' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='; object-src 'self'"
- }
- ```
+- Manifest V3 does not allow CSP hashes in `script-src` of `extension_pages`.
Keep the rest of the policy, but also require that images should be packaged with the extension:
@@ -206,7 +197,7 @@ Enable the use of [WebAssembly](/en-US/docs/WebAssembly):
- Manifest V2
- For backward compatibility, Manifest V2 extensions can use WebAssembly without the use of `'wasm-unsafe-eval'`. However, if the extension uses WebAssembly, the inclusion of `'wasm-unsafe-eval'` is recommended. See [WebAssembly](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#webassembly) on the Content Security Policy page for more information.
+ For backward compatibility, Manifest V2 extensions in Firefox can use WebAssembly without the use of `'wasm-unsafe-eval'`. However, this behavior isn't guaranteed, see {{bug(1770909)}}. Extensions using WebAssembly are therefore encouraged to declare `'wasm-unsafe-eval'` in their CSP. See [WebAssembly](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#webassembly) on the Content Security Policy page for more information.
```json
"content_security_policy": "script-src 'self' 'wasm-unsafe-eval'"
@@ -222,39 +213,39 @@ Enable the use of [WebAssembly](/en-US/docs/WebAssembly):
### Invalid examples
-Policy that omits the `"object-src"` directive:
+Policy that omits the `"object-src"` directive (only invalid in browsers that support obsolete [plugins](/en-US/docs/Glossary/Plugin); [more information](https://github.com/w3c/webextensions/issues/204)):
-```json
+```json example-bad
"content_security_policy": "script-src 'self' https://*.jquery.com;"
```
Policy that omits the `"self"` keyword in the `"script-src"` directive:
-```json
+```json example-bad
"content_security_policy": "script-src https://*.jquery.com; object-src 'self'"
```
Scheme for a remote source is not `https`:
-```json
+```json example-bad
"content_security_policy": "script-src 'self' http://code.jquery.com; object-src 'self'"
```
Wildcard is used with a generic domain:
-```json
+```json example-bad
"content_security_policy": "script-src 'self' https://*.blogspot.com; object-src 'self'"
```
Source specifies a scheme but no host:
-```json
+```json example-bad
"content_security_policy": "script-src 'self' https:; object-src 'self'"
```
Directive includes the unsupported keyword `'unsafe-inline'`:
-```json
+```json example-bad
"content_security_policy": "script-src 'self' 'unsafe-inline'; object-src 'self'"
```