diff --git a/extension/chrome/elements/pgp_pubkey.ts b/extension/chrome/elements/pgp_pubkey.ts
index c8ac696180d..7081e0c4356 100644
--- a/extension/chrome/elements/pgp_pubkey.ts
+++ b/extension/chrome/elements/pgp_pubkey.ts
@@ -190,7 +190,7 @@ View.run(
 
     private showKeyNotUsableError = async () => {
       $('.error_container').removeClass('hidden');
-      $('.error_introduce_label').html(`This OpenPGP key is not usable.<br/><small>(${await this.getErrorText()})</small>`); // xss-escaped
+      $('.error_introduce_label').html(`This OpenPGP key is not usable.<br/><small>(${Xss.escape(await this.getErrorText())})</small>`); // xss-escaped
       $('.hide_if_error').hide();
       $('.fingerprints, .add_contact, #manual_import_warning').remove();
       const email = this.firstParsedPublicKey ? KeyUtil.getPrimaryEmail(this.firstParsedPublicKey) : undefined;
diff --git a/extension/chrome/settings/modules/contacts.ts b/extension/chrome/settings/modules/contacts.ts
index 8912a086d96..432f3ccf993 100644
--- a/extension/chrome/settings/modules/contacts.ts
+++ b/extension/chrome/settings/modules/contacts.ts
@@ -175,13 +175,16 @@ View.run(
       }
       const key = await KeyUtil.parse(armoredPubkey);
       $('.hide_when_rendering_subpage').css('display', 'none');
-      Xss.sanitizeRender('h1', `${this.backBtn}${this.space}${email}&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`);
+      Xss.sanitizeRender('h1', `${this.backBtn}${this.space}${Xss.escape(email)}&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`); // xss-escaped
       $('#view_contact .key_dump').text(armoredPubkey);
       $('#view_contact #container-pubkey-details').text(
         [
           `Type: ${key.family}`,
           `Fingerprint: ${Str.spaced(key.id || 'none')}`,
-          `Users: ${key.users?.map(u => u.email).filter(Boolean).join(', ')}`,
+          `Users: ${key.users
+            ?.map(u => u.email)
+            .filter(Boolean)
+            .join(', ')}`,
           `Created on: ${key.created ? new Date(key.created) : ''}`,
           `Expiration: ${key.expiration ? new Date(key.expiration) : 'Does not expire'}`,
           `Last signature: ${key.lastModified ? new Date(key.lastModified) : ''}`,
diff --git a/extension/js/common/ui/passphrase-ui.ts b/extension/js/common/ui/passphrase-ui.ts
index 32f15e6149e..e1630e8cc10 100644
--- a/extension/js/common/ui/passphrase-ui.ts
+++ b/extension/js/common/ui/passphrase-ui.ts
@@ -90,8 +90,8 @@ export const isCreatePrivateFormInputCorrect = async (section: string, clientCon
           Please write down your passphrase and store it in safe place or even two.
           It is needed in order to access your FlowCrypt account.
         </div>
-        <div class="passphrase-sticky-note">${notePp}</div>
-      `;
+        <div class="passphrase-sticky-note">${Xss.escape(notePp)}</div>
+      `; // xss-escaped
     return await Ui.modal.confirmWithCheckbox('Yes, I wrote it down', paperPassPhraseStickyNote);
   }
   return true;
diff --git a/extension/manifest.json b/extension/manifest.json
index c4bcbbf63ef..8e73ad9818a 100644
--- a/extension/manifest.json
+++ b/extension/manifest.json
@@ -92,6 +92,6 @@
   ],
   "minimum_chrome_version": "96",
   "content_security_policy": {
-    "extension_pages": "script-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' data: blob: https:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self';"
+    "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' *; style-src 'self' 'unsafe-inline';"
   }
 }