OLD | NEW |
1 <!DOCTYPE html><!-- This page is a placeholder for generated extensions api doc.
Note: | 1 <!DOCTYPE html><!-- This page is a placeholder for generated extensions api doc.
Note: |
2 1) The <head> information in this page is significant, should be uniform | 2 1) The <head> information in this page is significant, should be uniform |
3 across api docs and should be edited only with knowledge of the | 3 across api docs and should be edited only with knowledge of the |
4 templating mechanism. | 4 templating mechanism. |
5 3) All <body>.innerHTML is genereated as an rendering step. If viewed in a | 5 3) All <body>.innerHTML is genereated as an rendering step. If viewed in a |
6 browser, it will be re-generated from the template, json schema and | 6 browser, it will be re-generated from the template, json schema and |
7 authored overview content. | 7 authored overview content. |
8 4) The <body>.innerHTML is also generated by an offline step so that this | 8 4) The <body>.innerHTML is also generated by an offline step so that this |
9 page may easily be indexed by search engines. | 9 page may easily be indexed by search engines. |
10 --><html xmlns="http://www.w3.org/1999/xhtml"><head> | 10 --><html xmlns="http://www.w3.org/1999/xhtml"><head> |
(...skipping 235 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
246 </p> | 246 </p> |
247 <pre>{ | 247 <pre>{ |
248 ..., | 248 ..., |
249 "content_security_policy": "[POLICY STRING GOES HERE]" | 249 "content_security_policy": "[POLICY STRING GOES HERE]" |
250 ... | 250 ... |
251 }</pre> | 251 }</pre> |
252 <p class="note"> | 252 <p class="note"> |
253 For full details regarding CSP's syntax, please take a look at | 253 For full details regarding CSP's syntax, please take a look at |
254 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif
ication.dev.html#syntax"> | 254 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif
ication.dev.html#syntax"> |
255 the Content Security Policy specification | 255 the Content Security Policy specification |
256 </a>. | 256 </a>, and the <a href="http://www.html5rocks.com/en/tutorials/security/content
-security-policy/"> |
| 257 "An Introduction to Content Security Policy" |
| 258 </a> article on HTML5Rocks. |
257 </p> | 259 </p> |
258 <a name="H2-0"></a><h2>Default Policy Restrictions</h2> | 260 <a name="H2-0"></a><h2>Default Policy Restrictions</h2> |
259 <p> | 261 <p> |
260 Packages that do not define a <a href="manifestVersion.html"> | 262 Packages that do not define a <a href="manifestVersion.html"> |
261 <code>manifest_version</code> | 263 <code>manifest_version</code> |
262 </a> have no default content security policy. Those that select | 264 </a> have no default content security policy. Those that select |
263 <code>manifest_version</code> 2, have a default content security policy | 265 <code>manifest_version</code> 2, have a default content security policy |
264 of: | 266 of: |
265 </p> | 267 </p> |
266 <pre>script-src 'self'; object-src 'self'</pre> | 268 <pre>script-src 'self'; object-src 'self'</pre> |
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
395 <script src="<strong>jquery.min.js</strong>"></script> | 397 <script src="<strong>jquery.min.js</strong>"></script> |
396 </head> | 398 </head> |
397 <body> | 399 <body> |
398 <button>Click for awesomeness!</button> | 400 <button>Click for awesomeness!</button> |
399 </body> | 401 </body> |
400 </html></pre> | 402 </html></pre> |
401 <a name="H2-3"></a><h2>Relaxing the default policy</h2> | 403 <a name="H2-3"></a><h2>Relaxing the default policy</h2> |
402 <p> | 404 <p> |
403 There is no mechanism for relaxing the restriction against executing inline | 405 There is no mechanism for relaxing the restriction against executing inline |
404 JavaScript. In particular, setting a script policy that includes | 406 JavaScript. In particular, setting a script policy that includes |
405 <code>unsafe-inline</code> will have no effect. This is intentional. | 407 <code>unsafe-inline</code> will have no effect. Likewise, there is no |
| 408 mechanism for enabling <code>eval</code>-like constructs. Setting a script |
| 409 policy that includes <code>unsafe-eval</code> will have no effect. This is |
| 410 intentional. |
406 </p> | 411 </p> |
407 <p> | 412 <p> |
408 If, on the other hand, you have a need for some external JavaScript or object | 413 If, on the other hand, you have a need for some external JavaScript or object |
409 resources, you can relax the policy to a limited extent by whitelisting | 414 resources, you can relax the policy to a limited extent by whitelisting |
410 secure origins from which scripts should be accepted. We want to ensure that | 415 secure origins from which scripts should be accepted. We want to ensure that |
411 executable resources loaded with an extension's elevated permissions are | 416 executable resources loaded with an extension's elevated permissions are |
412 exactly the resources you expect, and haven't been replaced by an active | 417 exactly the resources you expect, and haven't been replaced by an active |
413 network attacker. As <a href="http://en.wikipedia.org/wiki/Man-in-the-middle_a
ttack">man-in-the-middle | 418 network attacker. As <a href="http://en.wikipedia.org/wiki/Man-in-the-middle_a
ttack">man-in-the-middle |
414 attacks</a> are both trivial and undetectable over HTTP, those origins will | 419 attacks</a> are both trivial and undetectable over HTTP, those origins will |
415 not be accepted. Currently, we allow whitelisting origins with the following | 420 not be accepted. Currently, we allow whitelisting origins with the following |
416 schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and | 421 schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and |
417 <code>chrome-extension-resource</code>. | 422 <code>chrome-extension-resource</code>. |
418 </p> | 423 </p> |
419 <p> | 424 <p> |
420 To ease development, we're also allowing the whitelisting of resources loaded | 425 To ease development, we're also allowing the whitelisting of resources loaded |
421 over HTTP from servers on your local machine. You may whitelist script and | 426 over HTTP from servers on your local machine. You may whitelist script and |
422 object sources on any port of either <code>http://127.0.0.1</code> or | 427 object sources on any port of either <code>http://127.0.0.1</code> or |
423 <code>http://localhost</code>. | 428 <code>http://localhost</code>. |
424 </p> | 429 </p> |
| 430 <p class="note"> |
| 431 The restriction against resources loaded over HTTP applies only to those |
| 432 resources which are directly executed. You're still free, for example, to |
| 433 make XMLHTTPRequest connections to any origin you like; the default policy |
| 434 doesn't restrict <code>connect-src</code> or any of the other CSP directives |
| 435 in any way. |
| 436 </p> |
425 <p> | 437 <p> |
426 A relaxed policy definition which allows script resources to be loaded from | 438 A relaxed policy definition which allows script resources to be loaded from |
427 <code>example.com</code> over HTTPS might look like: | 439 <code>example.com</code> over HTTPS might look like: |
428 </p> | 440 </p> |
429 <pre>{ | 441 <pre>{ |
430 ..., | 442 ..., |
431 "content_security_policy": "script-src 'self' https://example.com; object-src
'self'", | 443 "content_security_policy": "script-src 'self' https://example.com; object-src
'self'", |
432 ... | 444 ... |
433 }</pre> | 445 }</pre> |
434 <p class="note"> | 446 <p class="note"> |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
495 _uff=0; | 507 _uff=0; |
496 urchinTracker(); | 508 urchinTracker(); |
497 } | 509 } |
498 catch(e) {/* urchinTracker not available. */} | 510 catch(e) {/* urchinTracker not available. */} |
499 </script> | 511 </script> |
500 <!-- end analytics --> | 512 <!-- end analytics --> |
501 </div> | 513 </div> |
502 </div> <!-- /gc-footer --> | 514 </div> <!-- /gc-footer --> |
503 </div> <!-- /gc-container --> | 515 </div> <!-- /gc-container --> |
504 </body></html> | 516 </body></html> |
OLD | NEW |