| OLD | NEW |
|---|
| (Empty) |
| 1 <h1 id="sandbox">Manifest - Sandbox</h1> | |
| 2 | |
| 3 <p> | |
| 4 Defines an collection of app or extension pages that are to be served | |
| 5 in a sandboxed unique origin, and optionally a Content Security Policy to use | |
| 6 with them. Being in a sandbox has two implications: | |
| 7 </p> | |
| 8 | |
| 9 <ol> | |
| 10 <li>A sandboxed page will not have access to extension or app APIs, or | |
| 11 direct access to non-sandboxed pages (it may communicate with them via | |
| 12 <code>postMessage()</code>).</li> | |
| 13 <li> | |
| 14 <p>A sandboxed page is not subject to the | |
| 15 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy.html">Co
ntent Security Policy | |
| 16 (CSP)</a> used by the rest of the app or extension (it has its own separate | |
| 17 CSP value). This means that, for example, it can use inline script and | |
| 18 <code>eval</code>.</p> | |
| 19 | |
| 20 <p>For example, here's how to specify that two extension pages are to be | |
| 21 served in a sandbox with a custom CSP:</p> | |
| 22 | |
| 23 <pre class="prettyprint"><span class="pun">{</span><span class="pln"> | |
| 24 </span><span class="pun">...</span><span class="pln"> | |
| 25 </span><span class="str">"sandbox"</span><span class="pun">:</span><span class
="pln"> </span><span class="pun">{</span><span class="pln"> | |
| 26 </span><span class="str">"pages"</span><span class="pun">:</span><span class
="pln"> </span><span class="pun">[</span><span class="pln"> | |
| 27 </span><span class="str">"page1.html"</span><span class="pun">,</span><spa
n class="pln"> | |
| 28 </span><span class="str">"directory/page2.html"</span><span class="pln"> | |
| 29 </span><span class="pun">]</span><span class="pln"> | |
| 30 </span><i><span class="com">// content_security_policy is optional.</span></
i><span class="pln"> | |
| 31 </span><span class="str">"content_security_policy"</span><span class="pun">:
</span><span class="pln"> | |
| 32 </span><span class="str">"sandbox allow-scripts; script-src https://www.
google.com"</span><span class="pln"> | |
| 33 </span><span class="pun">],</span><span class="pln"> | |
| 34 </span><span class="pun">...</span><span class="pln"> | |
| 35 </span><span class="pun">}</span></pre> | |
| 36 | |
| 37 <p> | |
| 38 If not specified, the default <code>content_security_policy</code> value is | |
| 39 <code>sandbox allow-scripts allow-forms</code>. You can specify your CSP | |
| 40 value to restrict the sandbox even further, but it must have the <code>sandbox
</code> | |
| 41 directive and may not have the <code>allow-same-origin</code> token (see | |
| 42 <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-ifram
e-element.html#attr-iframe-sandbox">the | |
| 43 HTML5 specification</a> for possible sandbox tokens). | |
| 44 </p> | |
| 45 </li> | |
| 46 </ol> | |
| 47 | |
| 48 <p> | |
| 49 Note that you only need to list pages that you expected to be loaded in | |
| 50 windows or frames. Resources used by sandboxed pages (e.g. stylesheets or | |
| 51 JavaScript source files) do not need to appear in the | |
| 52 <code>sandboxed_page</code> list, they will use the sandbox of the page | |
| 53 that embeds them. | |
| 54 </p> | |
| 55 | |
| 56 <p> | |
| 57 <a href="http://developer.chrome.com/extensions/sandboxingEval.html">"Using eval
in Chrome Extensions. Safely."</a> | |
| 58 goes into more detail about implementing a sandboxing workflow that enables use | |
| 59 of libraries that would otherwise have issues executing under extension's | |
| 60 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy.html">defa
ult Content Security | |
| 61 Policy</a>. | |
| 62 </p> | |
| 63 | |
| 64 <p> | |
| 65 Sandboxed page may only be specified when using | |
| 66 <a href="http://developer.chrome.com/extensions/manifest.html#manifest_version">
<code>manifest_version</code></a> 2 or above. | |
| 67 </p> | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 14712010:
Revert 199633 "Doc server manifest page generation" (Closed)
Base URL: svn://svn.chromium.org/chrome/