Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(225)

Side by Side Diff: chrome/common/extensions/docs/static/manifest.html

Issue 10458063: Add sanbdoxed_pages to allow extension/app pages to be served in a sandboxed, unique origin (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: CheckCurrentContextAccessToExtensionAPI Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 <div id="pageData-name" class="pageData">Formats: Manifest Files</div> 1 <div id="pageData-name" class="pageData">Formats: Manifest Files</div>
2 <div id="pageData-showTOC" class="pageData">true</div> 2 <div id="pageData-showTOC" class="pageData">true</div>
3 3
4 <p> 4 <p>
5 Every extension, installable web app, and theme has a 5 Every extension, installable web app, and theme has a
6 <a href="http://www.json.org">JSON</a>-formatted manifest file, 6 <a href="http://www.json.org">JSON</a>-formatted manifest file,
7 named <code>manifest.json</code>, 7 named <code>manifest.json</code>,
8 that provides important information. 8 that provides important information.
9 </p> 9 </p>
10 10
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
48 "<a href="#minimum_chrome_version">minimum_chrome_version</a>": "<em>versionSt ring</em>", 48 "<a href="#minimum_chrome_version">minimum_chrome_version</a>": "<em>versionSt ring</em>",
49 49
50 "<a href="#nacl_modules">nacl_modules</a>": [...], 50 "<a href="#nacl_modules">nacl_modules</a>": [...],
51 "<a href="#offline_enabled">offline_enabled</a>": true, 51 "<a href="#offline_enabled">offline_enabled</a>": true,
52 "<a href="omnibox.html">omnibox</a>": { "keyword": "<em>aString</em>" }, 52 "<a href="omnibox.html">omnibox</a>": { "keyword": "<em>aString</em>" },
53 "<a href="options.html">options_page</a>": "<em>aFile</em>.html", 53 "<a href="options.html">options_page</a>": "<em>aFile</em>.html",
54 "<a href="#permissions">permissions</a>": [...], 54 "<a href="#permissions">permissions</a>": [...],
55 "<a href="npapi.html">plugins</a>": [...], 55 "<a href="npapi.html">plugins</a>": [...],
56 "<a href="#requirements">requirements</a>": {...}, 56 "<a href="#requirements">requirements</a>": {...},
57 "<a href="autoupdate.html">update_url</a>": "http://<em>path/to/updateInfo</em >.xml", 57 "<a href="autoupdate.html">update_url</a>": "http://<em>path/to/updateInfo</em >.xml",
58 "<a href="#web_accessible_resources">web_accessible_resources</a>": [...] 58 "<a href="#web_accessible_resources">web_accessible_resources</a>": [...],
59 "<a href="#sandboxed_pages">sandboxed_pages</a>": [...]
59 } 60 }
60 </pre> 61 </pre>
61 62
62 63
63 <h2>Field details</h2> 64 <h2>Field details</h2>
64 65
65 <p> 66 <p>
66 This section covers fields that aren't described in another page. 67 This section covers fields that aren't described in another page.
67 For a complete list of fields, 68 For a complete list of fields,
68 with links to where they're described in detail, 69 with links to where they're described in detail,
(...skipping 148 matching lines...) Expand 10 before | Expand all | Expand 10 after
217 <p> 218 <p>
218 A dictionary that specifies all intent handlers provided by this extension or ap p. Each key in the dictionary specifies an action verb that is handled by this e xtension. The following example specifies two handlers for the action verb "<a h ref="http://webintents.org/share">http://webintents.org/share</a>". 219 A dictionary that specifies all intent handlers provided by this extension or ap p. Each key in the dictionary specifies an action verb that is handled by this e xtension. The following example specifies two handlers for the action verb "<a h ref="http://webintents.org/share">http://webintents.org/share</a>".
219 </p> 220 </p>
220 221
221 <pre> 222 <pre>
222 { 223 {
223 "name": "test", 224 "name": "test",
224 "version": "1", 225 "version": "1",
225 "intents": { 226 "intents": {
226 "http://webintents.org/share": [ 227 "http://webintents.org/share": [
227 { 228 {
228 "type": ["text/uri-list"], 229 "type": ["text/uri-list"],
229 "href": "/services/sharelink.html", 230 "href": "/services/sharelink.html",
230 "title" : "Sample Link Sharing Intent", 231 "title" : "Sample Link Sharing Intent",
231 "disposition" : "inline" 232 "disposition" : "inline"
232 }, 233 },
233 { 234 {
234 "type": ["image/*"], 235 "type": ["image/*"],
235 "href": "/services/shareimage.html", 236 "href": "/services/shareimage.html",
236 "title" : "Sample Image Sharing Intent", 237 "title" : "Sample Image Sharing Intent",
237 "disposition" : "window" 238 "disposition" : "window"
238 } 239 }
239 ] 240 ]
240 } 241 }
241 } 242 }
242 </pre> 243 </pre>
243 244
244 <p> 245 <p>
245 The value of "type" is an array of mime types that is supported by this handler. The "href" indicates the URL of the page that handles the intent. For hosted ap ps, these URLs must be within the allowed set of URLs. For extensions, all URLs are inside the extension and considered relative to the extension root URL. 246 The value of "type" is an array of mime types that is supported by this handler. The "href" indicates the URL of the page that handles the intent. For hosted ap ps, these URLs must be within the allowed set of URLs. For extensions, all URLs are inside the extension and considered relative to the extension root URL.
246 </p> 247 </p>
247 248
248 <p> 249 <p>
249 The "title" is displayed in the intent picker UI when the user initiates the act ion specific to the handler. 250 The "title" is displayed in the intent picker UI when the user initiates the act ion specific to the handler.
250 </p> 251 </p>
251 252
252 <p> 253 <p>
253 The "disposition" is either "inline" or "window". Intents with "window" disposit ion will open a new tab when invoked. Intents with "inline" disposition will be displayed inside the intent picker when invoked. 254 The "disposition" is either "inline" or "window". Intents with "window" disposit ion will open a new tab when invoked. Intents with "inline" disposition will be displayed inside the intent picker when invoked.
254 </p> 255 </p>
255 256
(...skipping 352 matching lines...) Expand 10 before | Expand all | Expand 10 after
608 <a href="tts.html">chrome.tts</a> module. </td> 609 <a href="tts.html">chrome.tts</a> module. </td>
609 </tr> 610 </tr>
610 <tr> 611 <tr>
611 <td> "ttsEngine" </td> 612 <td> "ttsEngine" </td>
612 <td> Required if the extension uses the 613 <td> Required if the extension uses the
613 <a href="ttsEngine.html">chrome.ttsEngine</a> module. </td> 614 <a href="ttsEngine.html">chrome.ttsEngine</a> module. </td>
614 </tr> 615 </tr>
615 <tr> 616 <tr>
616 <td> "unlimitedStorage"</td> 617 <td> "unlimitedStorage"</td>
617 <td> Provides an unlimited quota for storing HTML5 client-side data, 618 <td> Provides an unlimited quota for storing HTML5 client-side data,
618 such as databases and local storage files. 619 such as databases and local storage files.
619 Without this permission, the extension is limited to 620 Without this permission, the extension is limited to
620 5 MB of local storage. 621 5 MB of local storage.
621 622
622 <p class="note"> 623 <p class="note">
623 <b>Note:</b> 624 <b>Note:</b>
624 This permission applies only to Web SQL Database and application cache 625 This permission applies only to Web SQL Database and application cache
625 (see issue <a href="http://crbug.com/58985">58985</a>). 626 (see issue <a href="http://crbug.com/58985">58985</a>).
626 Also, it doesn't currently work with wildcard subdomains such as 627 Also, it doesn't currently work with wildcard subdomains such as
627 <code>http://*.example.com</code>. 628 <code>http://*.example.com</code>.
628 </p> 629 </p>
629 </td> 630 </td>
630 <tr> 631 <tr>
631 <tr> 632 <tr>
632 <td> "webNavigation" </td> 633 <td> "webNavigation" </td>
633 <td> Required if the extension uses the 634 <td> Required if the extension uses the
634 <a href="webNavigation.html">chrome.webNavigation</a> module. </td> 635 <a href="webNavigation.html">chrome.webNavigation</a> module. </td>
635 </tr> 636 </tr>
636 <tr> 637 <tr>
637 <td> "webRequest" </td> 638 <td> "webRequest" </td>
638 <td> Required if the extension uses the 639 <td> Required if the extension uses the
(...skipping 157 matching lines...) Expand 10 before | Expand all | Expand 10 after
796 <code>chrome.extension.getURL</code> 797 <code>chrome.extension.getURL</code>
797 </a> method. Whitelisted resources are served with appropriate 798 </a> method. Whitelisted resources are served with appropriate
798 <a href="http://www.w3.org/TR/cors/">CORS</a> headers, so they're available via 799 <a href="http://www.w3.org/TR/cors/">CORS</a> headers, so they're available via
799 mechanisms like XHR. 800 mechanisms like XHR.
800 </p> 801 </p>
801 802
802 <p> 803 <p>
803 Injected content scripts themselves do not need to be whitelisted. 804 Injected content scripts themselves do not need to be whitelisted.
804 </p> 805 </p>
805 806
806 <h4>Default Availablility</h4> 807 <h4>Default Availability</h4>
807 808
808 <p> 809 <p>
809 Resources inside of packages using <a href="#manifest_version"> 810 Resources inside of packages using <a href="#manifest_version"><code>manifest_ve rsion</code></a>
810 <code>manifest_version</code> 811 2 or above are <strong>blocked by default</strong>, and must be whitelisted
811 </a> 2 or above are <strong>blocked by default</strong>, and must be whitelisted
812 for use via this property. 812 for use via this property.
813 </p> 813 </p>
814 814
815 <p> 815 <p>
816 Resources inside of packages using <code>manifest_version</code> 1 are available 816 Resources inside of packages using <code>manifest_version</code> 1 are available
817 by default, but <em>if</em> you do set this property, then it will be treated as 817 by default, but <em>if</em> you do set this property, then it will be treated as
818 a complete list of all whitelisted resources. Resources not listed will be 818 a complete list of all whitelisted resources. Resources not listed will be
819 blocked. 819 blocked.
820 </p> 820 </p>
821 821
822 <h3 id="sandboxed_pages">sandboxed_pages</h3>
823
824 <p>
825 A list of paths (relative to the package root) to pages that are to be served
826 in a sandboxed unique origin, and optionally a Content Security Policy to use
827 with them. Being in a sandbox has two implications:
828 </p>
829
830 <ol>
831 <li>A sandboxed page will not have access to extension or app APIs, or
832 direct access to non-sandboxed pages (it may communicate with them via
833 <code>postMessage()</code>).</li>
834 <li>A sandboxed page is not subject to the
835 <a href="contentSecurityPolicy.html">Content Security Policy (CSP)</a> used
836 by the rest of the app or extension (it has its own separate CSP value). This
837 means that, for example, it can use inline script and <code>eval</code>.</li>
838 </ol>
839
840 <p>For example, here's how to specify that two extension pages are to be served
841 in a sandbox with a custom CSP:</p>
842
843 <pre>{
844 ...
845 "sandboxed_pages": {
846 "pages": [
847 "page1.html",
848 "directory/page2.html"
849 ]
850 <i>// content_security_policy is optional.</i>
851 "content_security_policy":
852 "sandbox allow-scripts: script-src https://www.google.com"
853 ],
854 ...
855 }</pre>
856
857 <p>
858 The sandbox is enforced by using the
859 <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe- element.html#attr-iframe-sandbox">HTML5 sandbox</a>
860 with the tokens <code>allow-scripts allow-forms</code>. You can specify a
861 different CSP value to use instead, but it must have the <code>sandbox</code>
862 directive and may not have the <code>allow-same-origin</code> token.
863 </p>
864
865 <p>
866 Note that you only need to list pages that you expected to be loaded in
867 windows or frames. Resources used by sandboxed pages (e.g. stylesheets or
868 JavaScript source files) do not need to appear in the
869 <code>sandboxed_page</code> list, they will use the sandbox of the page
870 that embeds them.
871 </p>
872
873 <p>
874 Sandboxed page may only be specified when using
875 <a href="#manifest_version"><code>manifest_version</code></a> 2 or above.
876 </p>
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698