I believe this affects all Safari extensions. It is affecting mine and it also appears to be affecting this extension here: https://github.com/adobe/helix-sidekick-extension/issues/721

There appears to be a difference with regards to injecting <script> elements. In order to force Google docs to show its annotated canvas, Google recommends extensions use code such as the following in their content script: const scriptElem = document.createElement('script'); scriptElem.textContent = "(function() { window['_docs_annotate_canvas_by_ext'] = '<extension id>'; })();"; (document.head || document.documentElement).appendChild(scriptElem); scriptElem.remove(); This works as expected on Chrome and Firefox but on Safari it produces: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. For what it's worth, unsafe-inline does appear in the host page's CSP (i.e. that of docs.google.com) and adding the script's hash to a content_security_policy member of the extension's manifest does not appear to help either.

(moved to an answer)