| OLD | NEW |
|---|
| (Empty) | |
| 1 <h1 id="sandbox">Manifest - Sandbox</h1> |
| 2 |
| 3 <p> |
| 4 Defines an collection of app or extension pages that are to be served |
| 5 in a sandboxed unique origin, and optionally a Content Security Policy to use |
| 6 with them. Being in a sandbox has two implications: |
| 7 </p> |
| 8 |
| 9 <ol> |
| 10 <li>A sandboxed page will not have access to extension or app APIs, or |
| 11 direct access to non-sandboxed pages (it may communicate with them via |
| 12 <code>postMessage()</code>).</li> |
| 13 <li> |
| 14 <p>A sandboxed page is not subject to the |
| 15 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy.html">Co
ntent Security Policy |
| 16 (CSP)</a> used by the rest of the app or extension (it has its own separate |
| 17 CSP value). This means that, for example, it can use inline script and |
| 18 <code>eval</code>.</p> |
| 19 |
| 20 <p>For example, here's how to specify that two extension pages are to be |
| 21 served in a sandbox with a custom CSP:</p> |
| 22 |
| 23 <pre class="prettyprint"><span class="pun">{</span><span class="pln"> |
| 24 </span><span class="pun">...</span><span class="pln"> |
| 25 </span><span class="str">"sandbox"</span><span class="pun">:</span><span class
="pln"> </span><span class="pun">{</span><span class="pln"> |
| 26 </span><span class="str">"pages"</span><span class="pun">:</span><span class
="pln"> </span><span class="pun">[</span><span class="pln"> |
| 27 </span><span class="str">"page1.html"</span><span class="pun">,</span><spa
n class="pln"> |
| 28 </span><span class="str">"directory/page2.html"</span><span class="pln"> |
| 29 </span><span class="pun">]</span><span class="pln"> |
| 30 </span><i><span class="com">// content_security_policy is optional.</span></
i><span class="pln"> |
| 31 </span><span class="str">"content_security_policy"</span><span class="pun">:
</span><span class="pln"> |
| 32 </span><span class="str">"sandbox allow-scripts; script-src https://www.
google.com"</span><span class="pln"> |
| 33 </span><span class="pun">],</span><span class="pln"> |
| 34 </span><span class="pun">...</span><span class="pln"> |
| 35 </span><span class="pun">}</span></pre> |
| 36 |
| 37 <p> |
| 38 If not specified, the default <code>content_security_policy</code> value is |
| 39 <code>sandbox allow-scripts allow-forms</code>. You can specify your CSP |
| 40 value to restrict the sandbox even further, but it must have the <code>sandbox
</code> |
| 41 directive and may not have the <code>allow-same-origin</code> token (see |
| 42 <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-ifram
e-element.html#attr-iframe-sandbox">the |
| 43 HTML5 specification</a> for possible sandbox tokens). |
| 44 </p> |
| 45 </li> |
| 46 </ol> |
| 47 |
| 48 <p> |
| 49 Note that you only need to list pages that you expected to be loaded in |
| 50 windows or frames. Resources used by sandboxed pages (e.g. stylesheets or |
| 51 JavaScript source files) do not need to appear in the |
| 52 <code>sandboxed_page</code> list, they will use the sandbox of the page |
| 53 that embeds them. |
| 54 </p> |
| 55 |
| 56 <p> |
| 57 <a href="http://developer.chrome.com/extensions/sandboxingEval.html">"Using eval
in Chrome Extensions. Safely."</a> |
| 58 goes into more detail about implementing a sandboxing workflow that enables use |
| 59 of libraries that would otherwise have issues executing under extension's |
| 60 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy.html">defa
ult Content Security |
| 61 Policy</a>. |
| 62 </p> |
| 63 |
| 64 <p> |
| 65 Sandboxed page may only be specified when using |
| 66 <a href="http://developer.chrome.com/extensions/manifest.html#manifest_version">
<code>manifest_version</code></a> 2 or above. |
| 67 </p> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 14273041:
Doc server manifest page generation (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master