Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(786)

Side by Side Diff: chrome/common/extensions/docs/static/manifest.html

Issue 9212044: Improving `content_security_policy` documentation. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Meggin's feedback. Created 8 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 <div id="pageData-name" class="pageData">Formats: Manifest Files</div> 1 <div id="pageData-name" class="pageData">Formats: Manifest Files</div>
2 <div id="pageData-showTOC" class="pageData">true</div> 2 <div id="pageData-showTOC" class="pageData">true</div>
3 3
4 <p> 4 <p>
5 Every extension, installable web app, and theme has a 5 Every extension, installable web app, and theme has a
6 <a href="http://www.json.org">JSON</a>-formatted manifest file, 6 <a href="http://www.json.org">JSON</a>-formatted manifest file,
7 named <code>manifest.json</code>, 7 named <code>manifest.json</code>,
8 that provides important information. 8 that provides important information.
9 </p> 9 </p>
10 10
(...skipping 21 matching lines...) Expand all
32 <em>// Pick one (or none)</em> 32 <em>// Pick one (or none)</em>
33 "<a href="browserAction.html">browser_action</a>": {...}, 33 "<a href="browserAction.html">browser_action</a>": {...},
34 "<a href="pageAction.html">page_action</a>": {...}, 34 "<a href="pageAction.html">page_action</a>": {...},
35 "<a href="themes.html">theme</a>": {...}, 35 "<a href="themes.html">theme</a>": {...},
36 "<a href="#app">app</a>": {...}, 36 "<a href="#app">app</a>": {...},
37 37
38 <em>// Add any of these that you need</em> 38 <em>// Add any of these that you need</em>
39 "<a href="background_pages.html">background</a>": {...}, 39 "<a href="background_pages.html">background</a>": {...},
40 "<a href="override.html">chrome_url_overrides</a>": {...}, 40 "<a href="override.html">chrome_url_overrides</a>": {...},
41 "<a href="content_scripts.html">content_scripts</a>": [...], 41 "<a href="content_scripts.html">content_scripts</a>": [...],
42 "<a href="#content_security_policy">content_security_policy</a>": "<em>policyS tring</em>", 42 "<a href="contentSecurityPolicy.html">content_security_policy</a>": "<em>polic yString</em>",
43 "<a href="fileBrowserHandler.html">file_browser_handlers</a>": [...], 43 "<a href="fileBrowserHandler.html">file_browser_handlers</a>": [...],
44 "<a href="#homepage_url">homepage_url</a>": "http://<em>path/to/homepage</em>" , 44 "<a href="#homepage_url">homepage_url</a>": "http://<em>path/to/homepage</em>" ,
45 "<a href="#incognito">incognito</a>": "spanning" <em>or</em> "split", 45 "<a href="#incognito">incognito</a>": "spanning" <em>or</em> "split",
46 "<a href="#key">key</a>": "<em>publicKey</em>", 46 "<a href="#key">key</a>": "<em>publicKey</em>",
47 "<a href="#minimum_chrome_version">minimum_chrome_version</a>": "<em>versionSt ring</em>", 47 "<a href="#minimum_chrome_version">minimum_chrome_version</a>": "<em>versionSt ring</em>",
48 "<a href="#nacl_modules">nacl_modules</a>": [...], 48 "<a href="#nacl_modules">nacl_modules</a>": [...],
49 "<a href="#offline_enabled">offline_enabled</a>": true, 49 "<a href="#offline_enabled">offline_enabled</a>": true,
50 "<a href="omnibox.html">omnibox</a>": { "keyword": "<em>aString</em>" }, 50 "<a href="omnibox.html">omnibox</a>": { "keyword": "<em>aString</em>" },
51 "<a href="options.html">options_page</a>": "<em>aFile</em>.html", 51 "<a href="options.html">options_page</a>": "<em>aFile</em>.html",
52 "<a href="#permissions">permissions</a>": [...], 52 "<a href="#permissions">permissions</a>": [...],
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after
104 (no HTML or other formatting; 104 (no HTML or other formatting;
105 no more than 132 characters) 105 no more than 132 characters)
106 that describes the extension. 106 that describes the extension.
107 The description should be suitable for both 107 The description should be suitable for both
108 the browser's extension management UI 108 the browser's extension management UI
109 and the <a href="https://chrome.google.com/webstore">Chrome Web Store</a>. 109 and the <a href="https://chrome.google.com/webstore">Chrome Web Store</a>.
110 You can specify locale-specific strings for this field; 110 You can specify locale-specific strings for this field;
111 see <a href="i18n.html">Internationalization</a> for details. 111 see <a href="i18n.html">Internationalization</a> for details.
112 </p> 112 </p>
113 113
114 <h3 id="content_security_policy">content_security_policy</h3>
115
116 <p>
117 A security policy to apply to resources in your extension. You can use this
118 policy to help prevent cross-site scripting vulnerabilities in your extension.
119 By default, the extension system enforces the following policy:
120 </p>
121
122 <pre>script-src 'self'; object-src 'self'</pre>
123
124 <p>
125 Extensions can tighten their policy using the
126 <code>content_security_policy</code> manifest attribute. For example, to
127 specify that your extension loads resources only from its own package, use the
128 following policy:
129 </p>
130
131 <pre>"content_security_policy": "default-src 'self' " </pre>
132
133 <p>
134 If you need to load resources from websites,
135 you can add them to the whitelist.
136 For example, if your extension uses Google Analytics,
137 you might use the following policy:
138 </p>
139
140 <pre>"content_security_policy": "default-src 'self' https://ssl.google-analytics .com"</pre>
141
142 <p>
143 The extension system will prevent you including insecure resources
144 for <code>script-src</code> or <code>object-src</code>. If you are using
145 <code>eval</code> to parse JSON, please consider using <code>JSON.parse</code>
146 instead.
147 </p>
148
149 <p>
150 For details, see the
151 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specific ation.dev.html">Content Security Policy specification</a>.
152 </p>
153
154
155 <h3 id="homepage_url">homepage_url</h3> 114 <h3 id="homepage_url">homepage_url</h3>
156 115
157 <p> 116 <p>
158 The URL of the homepage for this extension. The extensions management page (chro me://extensions) 117 The URL of the homepage for this extension. The extensions management page (chro me://extensions)
159 will contain a link to this URL. This field is particularly useful if you 118 will contain a link to this URL. This field is particularly useful if you
160 <a href="hosting.html">host the extension on your own site</a>. If you distribut e your 119 <a href="hosting.html">host the extension on your own site</a>. If you distribut e your
161 extension using the <a href="https://chrome.google.com/webstore">Chrome Web Stor e</a>, 120 extension using the <a href="https://chrome.google.com/webstore">Chrome Web Stor e</a>,
162 the homepage URL defaults to the extension's own page. 121 the homepage URL defaults to the extension's own page.
163 </p> 122 </p>
164 123
(...skipping 557 matching lines...) Expand 10 before | Expand all | Expand 10 after
722 681
723 <pre>"manifest_version": 2</pre> 682 <pre>"manifest_version": 2</pre>
724 683
725 <p> 684 <p>
726 Future breaking changes to the extension system may require a new version 685 Future breaking changes to the extension system may require a new version
727 number. 686 number.
728 </p> 687 </p>
729 688
730 689
731 <!-- [PENDING: Possibly: point to the store/dashboard and make a big deal of the fact that autoupdating is free if you use them.] --> 690 <!-- [PENDING: Possibly: point to the store/dashboard and make a big deal of the fact that autoupdating is free if you use them.] -->
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698