Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1781)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/common/extensions/docs/static/manifest.html

Issue 8879039: Update the extension documentation to explain manifest_version. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 9 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/common/extensions/docs/static/manifest.html
===================================================================
--- chrome/common/extensions/docs/static/manifest.html (revision 113615)
+++ chrome/common/extensions/docs/static/manifest.html (working copy)
@@ -22,6 +22,7 @@
<em>// Required</em>
"<a href="#name">name</a>": "<em>My Extension</em>",
"<a href="#version">version</a>": "<em>versionString</em>",
+ "<a href="#manifest_version">manifest_version</a>": 2,
<em>// Recommended</em>
"<a href="#description">description</a>": "<em>A plain text description</em>",
@@ -112,13 +113,20 @@
<h3 id="content_security_policy">content_security_policy</h3>
<p>
-A security policy to apply to resources in your extension.
-You can use this policy to help prevent cross-site scripting
-vulnerabilities in your extension.
-To specify that your extension loads resources
-only from its own package, use the following policy:
+A security policy to apply to resources in your extension. You can use this
+policy to help prevent cross-site scripting vulnerabilities in your extension.
+By default, the extension system enforces the following policy:
</p>
+<pre>script-src 'self'; object-src 'self'</pre>
+
+<p>
+Extensions can tighten their policy using the
+<code>content_security_policy</code> manifest attribute. For example, to
+specify that your extension loads resources only from its own package, use the
+following policy:
+</p>
+
<pre>"content_security_policy": "default-src 'self' " </pre>
<p>
@@ -131,6 +139,13 @@
<pre>"content_security_policy": "default-src 'self' https://ssl.google-analytics.com"</pre>
<p>
+However, the extension system will prevent you including insecure resources
mkearney 2011/12/08 23:52:22 Suggestion to remove 'however'.
+for <code>script-src</code> or <code>object-src</code>. (If you are using
mkearney 2011/12/08 23:52:22 Suggestion to take this sentence out of parenthese
+<code>eval</code> to parse JSON, please consider using <code>JSON.parse</code>
+instead.)
+</p>
+
+<p>
For details, see the
<a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html">Content Security Policy specification</a>.
</p>
@@ -655,4 +670,20 @@
<a href="autoupdate.html">Autoupdating</a>.
</p>
+
+<h3 id="manifest_version">manifest_version</h3>
+
+<p>
+The version of the manifest format that this extension uses. Currently,
+extensions should use the value <code>2</code> (without quotes):
+</p>
+
+<pre>"manifest_version": 2</pre>
+
+<p>
+A larger number might be required in the future if there are breaking changes
mkearney 2011/12/08 23:52:22 I think this can be worded better. How about: Fut
+to the extension system.
+</p>
+
+
<!-- [PENDING: Possibly: point to the store/dashboard and make a big deal of the fact that autoupdating is free if you use them.] -->
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698