| OLD | NEW |
|---|
| (Empty) | |
| 1 <h1 id="web_accessible_resources">Manifest - Web Accessible Resources</h1> |
| 2 |
| 3 <p> |
| 4 An array of strings specifying the paths (relative to the package root) of |
| 5 packaged resources that are expected to be usable in the context of a web page. |
| 6 For example, an extension that injects a content script with the intention of |
| 7 building up some custom interface for <code>example.com</code> would whitelist |
| 8 any resources that interface requires (images, icons, stylesheets, scripts, |
| 9 etc.) as follows: |
| 10 </p> |
| 11 |
| 12 <pre class="prettyprint"><span class="pun">{</span><span class="pln"> |
| 13 </span><span class="pun">...</span><span class="pln"> |
| 14 </span><span class="str">"web_accessible_resources"</span><span class="pun">:<
/span><span class="pln"> </span><span class="pun">[</span><span class="pln"> |
| 15 </span><span class="str">"images/my-awesome-image1.png"</span><span class="p
un">,</span><span class="pln"> |
| 16 </span><span class="str">"images/my-amazing-icon1.png"</span><span class="pu
n">,</span><span class="pln"> |
| 17 </span><span class="str">"style/double-rainbow.css"</span><span class="pun">
,</span><span class="pln"> |
| 18 </span><span class="str">"script/double-rainbow.js"</span><span class="pln"> |
| 19 </span><span class="pun">],</span><span class="pln"> |
| 20 </span><span class="pun">...</span><span class="pln"> |
| 21 </span><span class="pun">}</span></pre> |
| 22 |
| 23 <p> |
| 24 These resources would then be available in a webpage via the URL |
| 25 <code>chrome-extension://[PACKAGE ID]/[PATH]</code>, which can be generated with |
| 26 the <a href="http://developer.chrome.com/extensions/extension.html#method-getURL
">extension.getURL</a> method. Whitelisted resources are served with appropriate |
| 27 <a href="http://www.w3.org/TR/cors/">CORS</a> headers, so they're available via |
| 28 mechanisms like XHR. |
| 29 </p> |
| 30 |
| 31 <p> |
| 32 Injected content scripts themselves do not need to be whitelisted. |
| 33 </p> |
| 34 |
| 35 <p> |
| 36 Prior to manifest version 2 all resources within an extension could be accessed |
| 37 from any page on the web. This allowed a malicious website to |
| 38 <a href="http://en.wikipedia.org/wiki/Device_fingerprint">fingerprint</a> the |
| 39 extensions that a user has installed or exploit vulnerabilities (for example |
| 40 <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">XSS bugs</a>)within |
| 41 installed extensions. Limiting availability to only resources which are |
| 42 explicitly intended to be web accessible serves to both minimize the available |
| 43 attack surface and protect the privacy of users. |
| 44 </p> |
| 45 |
| 46 <h2 id="availability">Default Availability</h2> |
| 47 |
| 48 <p> |
| 49 Resources inside of packages using <a href="http://developer.chrome.com/extensio
ns/manifest.html#manifest_version"><code>manifest_version</code></a> |
| 50 2 or above are <strong>blocked by default</strong>, and must be whitelisted |
| 51 for use via this property. |
| 52 </p> |
| 53 |
| 54 <p> |
| 55 Resources inside of packages using <code>manifest_version</code> 1 are available |
| 56 by default, but <em>if</em> you do set this property, then it will be treated as |
| 57 a complete list of all whitelisted resources. Resources not listed will be |
| 58 blocked. |
| 59 </p> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 14273041:
Doc server manifest page generation (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master