Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(5376)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/common/extensions/docs/manifest.html

Issue 8879039: Update the extension documentation to explain manifest_version. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 9 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | chrome/common/extensions/docs/static/manifest.html » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/common/extensions/docs/manifest.html
===================================================================
--- chrome/common/extensions/docs/manifest.html (revision 113772)
+++ chrome/common/extensions/docs/manifest.html (working copy)
@@ -338,6 +338,8 @@
<a href="#permissions">permissions</a>
</li><li>
<a href="#version">version</a>
+ </li><li>
+ <a href="#manifest_version">manifest_version</a>
</li>
</ol>
</li>
@@ -383,6 +385,7 @@
<em>// Required</em>
"<a href="#name">name</a>": "<em>My Extension</em>",
"<a href="#version">version</a>": "<em>versionString</em>",
+ "<a href="#manifest_version">manifest_version</a>": 2,
<em>// Recommended</em>
"<a href="#description">description</a>": "<em>A plain text description</em>",
@@ -473,13 +476,20 @@
<h3 id="content_security_policy">content_security_policy</h3>
<p>
-A security policy to apply to resources in your extension.
-You can use this policy to help prevent cross-site scripting
-vulnerabilities in your extension.
-To specify that your extension loads resources
-only from its own package, use the following policy:
+A security policy to apply to resources in your extension. You can use this
+policy to help prevent cross-site scripting vulnerabilities in your extension.
+By default, the extension system enforces the following policy:
</p>
+<pre>script-src 'self'; object-src 'self'</pre>
+
+<p>
+Extensions can tighten their policy using the
+<code>content_security_policy</code> manifest attribute. For example, to
+specify that your extension loads resources only from its own package, use the
+following policy:
+</p>
+
<pre>"content_security_policy": "default-src 'self' " </pre>
<p>
@@ -492,6 +502,13 @@
<pre>"content_security_policy": "default-src 'self' https://ssl.google-analytics.com"</pre>
<p>
+The extension system will prevent you including insecure resources
+for <code>script-src</code> or <code>object-src</code>. If you are using
+<code>eval</code> to parse JSON, please consider using <code>JSON.parse</code>
+instead.
+</p>
+
+<p>
For details, see the
<a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html">Content Security Policy specification</a>.
</p>
@@ -1012,6 +1029,22 @@
<a href="autoupdate.html">Autoupdating</a>.
</p>
+
+<h3 id="manifest_version">manifest_version</h3>
+
+<p>
+The version of the manifest format that this extension uses. Currently,
+extensions should use the value <code>2</code> (without quotes):
+</p>
+
+<pre>"manifest_version": 2</pre>
+
+<p>
+Future breaking changes to the extension system may require a new version
+number.
+</p>
+
+
<!-- [PENDING: Possibly: point to the store/dashboard and make a big deal of the fact that autoupdating is free if you use them.] -->
</div>
« no previous file with comments | « no previous file | chrome/common/extensions/docs/static/manifest.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698