Index: chrome/common/extensions/docs/static/contentSecurityPolicy.html |
diff --git a/chrome/common/extensions/docs/static/contentSecurityPolicy.html b/chrome/common/extensions/docs/static/contentSecurityPolicy.html |
index e70b58fbb3e36e72e476f7c4c8bcd4c48d5f6a02..abf6da0bd7887b4ae9f3afe842f875c24ecc5d04 100644 |
--- a/chrome/common/extensions/docs/static/contentSecurityPolicy.html |
+++ b/chrome/common/extensions/docs/static/contentSecurityPolicy.html |
@@ -39,7 +39,9 @@ |
For full details regarding CSP's syntax, please take a look at |
<a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#syntax"> |
the Content Security Policy specification |
- </a>. |
+ </a>, and the <a href="http://www.html5rocks.com/en/tutorials/security/content-security-policy/"> |
+ "An Introduction to Content Security Policy" |
+ </a> article on HTML5Rocks. |
</p> |
<h2>Default Policy Restrictions</h2> |
@@ -219,7 +221,10 @@ popup.html: |
<p> |
There is no mechanism for relaxing the restriction against executing inline |
JavaScript. In particular, setting a script policy that includes |
- <code>unsafe-inline</code> will have no effect. This is intentional. |
+ <code>unsafe-inline</code> will have no effect. Likewise, there is no |
+ mechanism for enabling <code>eval</code>-like constructs. Setting a script |
+ policy that includes <code>unsafe-eval</code> will have no effect. This is |
+ intentional. |
</p> |
<p> |
@@ -243,6 +248,14 @@ popup.html: |
<code>http://localhost</code>. |
</p> |
+<p class="note"> |
+ The restriction against resources loaded over HTTP applies only to those |
+ resources which are directly executed. You're still free, for example, to |
+ make XMLHTTPRequest connections to any origin you like; the default policy |
+ doesn't restrict <code>connect-src</code> or any of the other CSP directives |
+ in any way. |
+</p> |
+ |
<p> |
A relaxed policy definition which allows script resources to be loaded from |
<code>example.com</code> over HTTPS might look like: |