| Index: chrome/common/extensions/docs/xhr.html
|
| diff --git a/chrome/common/extensions/docs/xhr.html b/chrome/common/extensions/docs/xhr.html
|
| deleted file mode 100644
|
| index c562d804577c52d0b2d798c703b1bf32cde388b9..0000000000000000000000000000000000000000
|
| --- a/chrome/common/extensions/docs/xhr.html
|
| +++ /dev/null
|
| @@ -1,373 +0,0 @@
|
| -<!DOCTYPE html><!-- This page is a placeholder for generated extensions api doc. Note:
|
| - 1) The <head> information in this page is significant, should be uniform
|
| - across api docs and should be edited only with knowledge of the
|
| - templating mechanism.
|
| - 3) All <body>.innerHTML is genereated as an rendering step. If viewed in a
|
| - browser, it will be re-generated from the template, json schema and
|
| - authored overview content.
|
| - 4) The <body>.innerHTML is also generated by an offline step so that this
|
| - page may easily be indexed by search engines.
|
| ---><html xmlns="http://www.w3.org/1999/xhtml"><head>
|
| - <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
| - <link href="css/ApiRefStyles.css" rel="stylesheet" type="text/css">
|
| - <link href="css/print.css" rel="stylesheet" type="text/css" media="print">
|
| - <script type="text/javascript" src="../../../third_party/jstemplate/jstemplate_compiled.js">
|
| - </script>
|
| - <script type="text/javascript" src="../../../../third_party/json_minify/minify-sans-regexp.js">
|
| - </script>
|
| - <script type="text/javascript" src="js/api_page_generator.js"></script>
|
| - <script type="text/javascript" src="js/bootstrap.js"></script>
|
| - <script type="text/javascript" src="js/sidebar.js"></script>
|
| - <title>Cross-Origin XMLHttpRequest - Google Chrome Extensions - Google Code</title></head>
|
| - <body> <div id="devModeWarning" class="displayModeWarning">
|
| - You are viewing extension docs in chrome via the 'file:' scheme: are you expecting to see local changes when you refresh? You'll need run chrome with --allow-file-access-from-files.
|
| - </div>
|
| - <div id="branchWarning" class="displayModeWarning">
|
| - <span>WARNING: This is the <span id="branchName">BETA</span> documentation.
|
| - It may not work with the stable release of Chrome.</span>
|
| - <select id="branchChooser">
|
| - <option>Choose a different version...
|
| - </option><option value="">Stable
|
| - </option><option value="beta">Beta
|
| - </option><option value="dev">Dev
|
| - </option><option value="trunk">Trunk
|
| - </option></select>
|
| - </div>
|
| - <div id="unofficialWarning" class="displayModeWarning">
|
| - <span>WARNING: This is unofficial documentation. It may not work with the
|
| - current release of Chrome.</span>
|
| - <button id="goToOfficialDocs">Go to the official docs</button>
|
| - </div>
|
| - <div id="gc-container" class="labs">
|
| - <!-- SUBTEMPLATES: DO NOT MOVE FROM THIS LOCATION -->
|
| - <!-- In particular, sub-templates that recurse, must be used by allowing
|
| - jstemplate to make a copy of the template in this section which
|
| - are not operated on by way of the jsskip="true" -->
|
| - <!-- /SUBTEMPLATES -->
|
| - <a id="top"></a>
|
| - <div id="skipto">
|
| - <a href="#gc-pagecontent">Skip to page content</a>
|
| - <a href="#gc-toc">Skip to main navigation</a>
|
| - </div>
|
| - <!-- API HEADER -->
|
| - <table id="header" width="100%" cellspacing="0" border="0">
|
| - <tbody><tr>
|
| - <td valign="middle"><a href="http://code.google.com/"><img src="images/code_labs_logo.gif" height="43" width="161" alt="Google Code Labs" style="border:0; margin:0;"></a></td>
|
| - <td valign="middle" width="100%" style="padding-left:0.6em;">
|
| - <form action="http://www.google.com/cse" id="cse" style="margin-top:0.5em">
|
| - <div id="gsc-search-box">
|
| - <input type="hidden" name="cx" value="002967670403910741006:61_cvzfqtno">
|
| - <input type="hidden" name="ie" value="UTF-8">
|
| - <input type="text" name="q" value="" size="55">
|
| - <input class="gsc-search-button" type="submit" name="sa" value="Search">
|
| - <br>
|
| - <span class="greytext">e.g. "page action" or "tabs"</span>
|
| - </div>
|
| - </form>
|
| - <script type="text/javascript" src="https://www.google.com/jsapi"></script>
|
| - <script type="text/javascript">google.load("elements", "1", {packages: "transliteration"});</script>
|
| - <script type="text/javascript" src="https://www.google.com/coop/cse/t13n?form=cse&t13n_langs=en"></script>
|
| - <script type="text/javascript" src="https://www.google.com/coop/cse/brand?form=cse&lang=en"></script>
|
| - </td>
|
| - </tr>
|
| - </tbody></table>
|
| - <div id="codesiteContent" class="">
|
| - <a id="gc-topnav-anchor"></a>
|
| - <div id="gc-topnav">
|
| - <h1>Google Chrome Extensions (<a href="http://code.google.com/labs/">Labs</a>)</h1>
|
| - <ul id="home" class="gc-topnav-tabs">
|
| - <li id="home_link">
|
| - <a href="index.html" title="Google Chrome Extensions home page">Home</a>
|
| - </li>
|
| - <li id="docs_link">
|
| - <a href="docs.html" title="Official Google Chrome Extensions documentation">Docs</a>
|
| - </li>
|
| - <li id="faq_link">
|
| - <a href="faq.html" title="Answers to frequently asked questions about Google Chrome Extensions">FAQ</a>
|
| - </li>
|
| - <li id="samples_link">
|
| - <a href="samples.html" title="Sample extensions (with source code)">Samples</a>
|
| - </li>
|
| - <li id="group_link">
|
| - <a href="http://groups.google.com/a/chromium.org/group/chromium-extensions" title="Google Chrome Extensions developer forum">Group</a>
|
| - </li>
|
| - <li id="so_link">
|
| - <a href="http://stackoverflow.com/questions/tagged/google-chrome-extension" title="[google-chrome-extension] tag on Stack Overflow">Questions?</a>
|
| - </li>
|
| - </ul>
|
| - </div> <!-- end gc-topnav -->
|
| - <div class="g-section g-tpl-170">
|
| - <!-- SIDENAV -->
|
| - <div class="g-unit g-first" id="gc-toc">
|
| - <ul>
|
| - <li><a href="getstarted.html">Getting Started</a></li>
|
| - <li><a href="overview.html">Overview</a></li>
|
| - <li><a href="whats_new.html">What's New?</a></li>
|
| - <li><h2><a href="devguide.html">Developer's Guide</a></h2>
|
| - <ul>
|
| - <li>Browser UI
|
| - <ul>
|
| - <li><a href="browserAction.html">Browser Actions</a></li>
|
| - <li><a href="contextMenus.html">Context Menus</a></li>
|
| - <li><a href="notifications.html">Desktop Notifications</a></li>
|
| - <li><a href="omnibox.html">Omnibox</a></li>
|
| - <li><a href="options.html">Options Pages</a></li>
|
| - <li><a href="override.html">Override Pages</a></li>
|
| - <li><a href="pageAction.html">Page Actions</a></li>
|
| - </ul>
|
| - </li>
|
| - <li>Browser Interaction
|
| - <ul>
|
| - <li><a href="bookmarks.html">Bookmarks</a></li>
|
| - <li><a href="cookies.html">Cookies</a></li>
|
| - <li><a href="devtools.html">Developer Tools</a></li>
|
| - <li><a href="events.html">Events</a></li>
|
| - <li><a href="history.html">History</a></li>
|
| - <li><a href="management.html">Management</a></li>
|
| - <li><a href="tabs.html">Tabs</a></li>
|
| - <li><a href="windows.html">Windows</a></li>
|
| - </ul>
|
| - </li>
|
| - <li>Implementation
|
| - <ul>
|
| - <li><a href="a11y.html">Accessibility</a></li>
|
| - <li><a href="background_pages.html">Background Pages</a></li>
|
| - <li><a href="content_scripts.html">Content Scripts</a></li>
|
| - <li class="leftNavSelected">Cross-Origin XHR</li>
|
| - <li><a href="i18n.html">Internationalization</a></li>
|
| - <li><a href="messaging.html">Message Passing</a></li>
|
| - <li><a href="permissions.html">Optional Permissions</a></li>
|
| - <li><a href="npapi.html">NPAPI Plugins</a></li>
|
| - </ul>
|
| - </li>
|
| - <li>Finishing
|
| - <ul>
|
| - <li><a href="hosting.html">Hosting</a></li>
|
| - <li><a href="external_extensions.html">Other Deployment Options</a></li>
|
| - </ul>
|
| - </li>
|
| - </ul>
|
| - </li>
|
| - <li><h2><a href="apps.html">Packaged Apps</a></h2></li>
|
| - <li><h2><a href="tutorials.html">Tutorials</a></h2>
|
| - <ul>
|
| - <li><a href="tut_debugging.html">Debugging</a></li>
|
| - <li><a href="tut_analytics.html">Google Analytics</a></li>
|
| - <li><a href="tut_oauth.html">OAuth</a></li>
|
| - </ul>
|
| - </li>
|
| - <li><h2>Reference</h2>
|
| - <ul>
|
| - <li>Formats
|
| - <ul>
|
| - <li><a href="manifest.html">Manifest Files</a></li>
|
| - <li><a href="match_patterns.html">Match Patterns</a></li>
|
| - </ul>
|
| - </li>
|
| - <li><a href="permission_warnings.html">Permission Warnings</a></li>
|
| - <li><a href="api_index.html">chrome.* APIs</a></li>
|
| - <li><a href="api_other.html">Other APIs</a></li>
|
| - </ul>
|
| - </li>
|
| - <li><h2><a href="samples.html">Samples</a></h2></li>
|
| - <div class="line"> </div>
|
| - <li><h2>More</h2>
|
| - <ul>
|
| - <li><a href="http://code.google.com/chrome/webstore/docs/index.html">Chrome Web Store</a></li>
|
| - <li><a href="http://code.google.com/chrome/apps/docs/developers_guide.html">Hosted Apps</a></li>
|
| - <li><a href="themes.html">Themes</a></li>
|
| - </ul>
|
| - </li>
|
| - </ul>
|
| - </div>
|
| - <script>
|
| - initToggles();
|
| - </script>
|
| - <div class="g-unit" id="gc-pagecontent">
|
| - <div id="pageTitle">
|
| - <h1 class="page_title">Cross-Origin XMLHttpRequest</h1>
|
| - </div>
|
| - <!-- TABLE OF CONTENTS -->
|
| - <!-- /TABLE OF CONTENTS -->
|
| - <!-- Standard content lead-in for experimental API pages -->
|
| - <!-- STATIC CONTENT PLACEHOLDER -->
|
| - <div id="static"><div id="pageData-name" class="pageData">Cross-Origin XMLHttpRequest</div>
|
| -<!-- BEGIN AUTHORED CONTENT -->
|
| -<p id="classSummary">
|
| -Regular web pages can use the
|
| -<a href="http://www.w3.org/TR/XMLHttpRequest/">XMLHttpRequest</a>
|
| -object to send and receive data from remote servers,
|
| -but they're limited by the
|
| -<a href="http://en.wikipedia.org/wiki/Same_origin_policy">same origin policy</a>.
|
| -Extensions aren't so limited.
|
| -An extension can talk to remote servers outside of its origin,
|
| -as long as it first requests cross-origin permissions.</p>
|
| -<p class="note">
|
| -<b>Version note:</b>
|
| -As of Chrome 13,
|
| -content scripts can make cross-origin requests
|
| -to the same servers as the rest of the extension.
|
| -Before Chrome 13, a content script couldn't directly make requests;
|
| -instead, it had to
|
| -send a message to its parent extension
|
| -asking the extension to make a cross-origin request.
|
| -</p>
|
| -<h2 id="extension-origin">Extension origin</h2>
|
| -<p>Each running extension exists within its own separate security origin. Without
|
| -requesting additional privileges, the extension can use
|
| -XMLHttpRequest to get resources within its installation. For example, if
|
| -an extension contains a JSON configuration file called <code>config.json</code>,
|
| -in a <code>config_resources</code> folder, the extension can retrieve the file's contents like
|
| -this:</p>
|
| -<pre>var xhr = new XMLHttpRequest();
|
| -xhr.onreadystatechange = handleStateChange; // Implemented elsewhere.
|
| -xhr.open("GET", chrome.extension.getURL('/config_resources/config.json'), true);
|
| -xhr.send();
|
| -</pre>
|
| -<p>If the extension attempts to use a security origin other than itself,
|
| -say http://www.google.com,
|
| -the browser disallows it
|
| -unless the extension has requested the appropriate cross-origin permissions.
|
| -</p>
|
| -<h2 id="requesting-permission">Requesting cross-origin permissions</h2>
|
| -<p>By adding hosts or host match patterns (or both) to the
|
| -<a href="manifest.html#permissions">permissions</a> section of the
|
| -<a href="manifest.html">manifest</a> file, the extension can request access to
|
| -remote servers outside of its origin.</p>
|
| -<pre>{
|
| - "name": "My extension",
|
| - ...
|
| - <b>"permissions": [
|
| - "http://www.google.com/"
|
| - ]</b>,
|
| - ...
|
| -}</pre>
|
| -<p>Cross-origin permission values can be fully qualified host names,
|
| -like these:</p>
|
| -<ul>
|
| - <li> "http://www.google.com/" </li>
|
| - <li> "http://www.gmail.com/" </li>
|
| -</ul>
|
| -<p>Or they can be match patterns, like these:</p>
|
| -<ul>
|
| - <li> "http://*.google.com/" </li>
|
| - <li> "http://*/" </li>
|
| -</ul>
|
| -<p>
|
| -A match pattern of "http://*/" allows HTTP access to all reachable domains.
|
| -Note that here,
|
| -match patterns are similar to <a href="match_patterns.html">content script
|
| -match patterns</a>,
|
| -but any path information following the host is ignored.</p>
|
| -<p>Also note that access is granted both by host and by scheme. If an extension
|
| -wants both secure and non-secure HTTP access to a given host or set
|
| -of hosts, it must declare the permissions separately:</p>
|
| -<pre>"permissions": [
|
| - "http://www.google.com/",
|
| - "https://www.google.com/"
|
| -]
|
| -</pre>
|
| -<h2 id="security-considerations">Security considerations</h2>
|
| -<p>
|
| -When using resources retrieved via XMLHttpRequest, your background page should
|
| -be careful not to fall victim to <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">cross-site
|
| -scripting</a>. Specifically, avoid using dangerous APIs such as the below:
|
| -</p>
|
| -<pre>background.html
|
| -===============
|
| -var xhr = new XMLHttpRequest();
|
| -xhr.open("GET", "http://api.example.com/data.json", true);
|
| -xhr.onreadystatechange = function() {
|
| - if (xhr.readyState == 4) {
|
| - // WARNING! Might be evaluating an evil script!
|
| - var resp = eval("(" + xhr.responseText + ")");
|
| - ...
|
| - }
|
| -}
|
| -xhr.send();
|
| -background.html
|
| -===============
|
| -var xhr = new XMLHttpRequest();
|
| -xhr.open("GET", "http://api.example.com/data.json", true);
|
| -xhr.onreadystatechange = function() {
|
| - if (xhr.readyState == 4) {
|
| - // WARNING! Might be injecting a malicious script!
|
| - document.getElementById("resp").innerHTML = xhr.responseText;
|
| - ...
|
| - }
|
| -}
|
| -xhr.send();
|
| -</pre>
|
| -<p>
|
| -Instead, prefer safer APIs that do not run scripts:
|
| -</p>
|
| -<pre>background.html
|
| -===============
|
| -var xhr = new XMLHttpRequest();
|
| -xhr.open("GET", "http://api.example.com/data.json", true);
|
| -xhr.onreadystatechange = function() {
|
| - if (xhr.readyState == 4) {
|
| - // JSON.parse does not evaluate the attacker's scripts.
|
| - var resp = JSON.parse(xhr.responseText);
|
| - }
|
| -}
|
| -xhr.send();
|
| -background.html
|
| -===============
|
| -var xhr = new XMLHttpRequest();
|
| -xhr.open("GET", "http://api.example.com/data.json", true);
|
| -xhr.onreadystatechange = function() {
|
| - if (xhr.readyState == 4) {
|
| - // innerText does not let the attacker inject HTML elements.
|
| - document.getElementById("resp").innerText = xhr.responseText;
|
| - }
|
| -}
|
| -xhr.send();
|
| -</pre>
|
| -<p>
|
| -Additionally, be especially careful of resources retrieved via HTTP. If your
|
| -extension is used on a hostile network, an network attacker (aka a <a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">"man-in-the-middle"</a>)
|
| -could modify the response and, potentially, attack your extension. Instead,
|
| -prefer HTTPS whenever possible.
|
| -</p>
|
| -<!-- END AUTHORED CONTENT -->
|
| -</div>
|
| - <!-- API PAGE -->
|
| - <!-- /apiPage -->
|
| - </div> <!-- /gc-pagecontent -->
|
| - </div> <!-- /g-section -->
|
| - </div> <!-- /codesiteContent -->
|
| - <div id="gc-footer" --="">
|
| - <div class="text">
|
| - <p>
|
| - Except as otherwise <a href="http://code.google.com/policies.html#restrictions">noted</a>,
|
| - the content of this page is licensed under the <a rel="license" href="http://creativecommons.org/licenses/by/3.0/">Creative Commons
|
| - Attribution 3.0 License</a>, and code samples are licensed under the
|
| - <a rel="license" href="http://code.google.com/google_bsd_license.html">BSD License</a>.
|
| - </p>
|
| - <p>
|
| - ©2011 Google
|
| - </p>
|
| -<!-- begin analytics -->
|
| -<script src="https://www.google-analytics.com/urchin.js" type="text/javascript"></script>
|
| -<script src="https://www.google-analytics.com/ga.js" type="text/javascript"></script>
|
| -<script type="text/javascript">
|
| - // chrome doc tracking
|
| - try {
|
| - var engdocs = _gat._getTracker("YT-10763712-2");
|
| - engdocs._trackPageview();
|
| - } catch(err) {}
|
| - // code.google.com site-wide tracking
|
| - try {
|
| - _uacct="UA-18071-1";
|
| - _uanchor=1;
|
| - _uff=0;
|
| - urchinTracker();
|
| - }
|
| - catch(e) {/* urchinTracker not available. */}
|
| -</script>
|
| -<!-- end analytics -->
|
| - </div>
|
| - </div> <!-- /gc-footer -->
|
| - </div> <!-- /gc-container -->
|
| -</body></html>
|
|
|
Chromium Code Reviews
Issue 10642015:
Basic setup for generating app docs (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src