Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(167)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chrome/common/extensions/docs/templates/articles/manifest/web_accessible_resources.html

Issue 219213007: Remove .html extension from links (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « chrome/common/extensions/docs/templates/articles/manifest/version.html ('k') | chrome/common/extensions/docs/templates/articles/manifestVersion.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 <h1 id="web_accessible_resources">Manifest - Web Accessible Resources</h1> 1 <h1 id="web_accessible_resources">Manifest - Web Accessible Resources</h1>
2 2
3 <p> 3 <p>
4 An array of strings specifying the paths of packaged resources that are expected 4 An array of strings specifying the paths of packaged resources that are expected
5 to be usable in the context of a web page. These paths are relative to the packa ge 5 to be usable in the context of a web page. These paths are relative to the packa ge
6 root, and may contain wildcards. 6 root, and may contain wildcards.
7 For example, an extension that injects a content script with the intention of 7 For example, an extension that injects a content script with the intention of
8 building up some custom interface for <code>example.com</code> would whitelist 8 building up some custom interface for <code>example.com</code> would whitelist
9 any resources that interface requires (images, icons, stylesheets, scripts, 9 any resources that interface requires (images, icons, stylesheets, scripts,
10 etc.) as follows: 10 etc.) as follows:
11 </p> 11 </p>
12 12
13 <pre data-filename="manifest.json"> 13 <pre data-filename="manifest.json">
14 { 14 {
15 ... 15 ...
16 "web_accessible_resources": [ 16 "web_accessible_resources": [
17 "images/*.png", 17 "images/*.png",
18 "style/double-rainbow.css", 18 "style/double-rainbow.css",
19 "script/double-rainbow.js", 19 "script/double-rainbow.js",
20 "script/main.js", 20 "script/main.js",
21 "templates/*" 21 "templates/*"
22 ], 22 ],
23 ... 23 ...
24 } 24 }
25 </pre> 25 </pre>
26 26
27 <p> 27 <p>
28 These resources would then be available in a webpage via the URL 28 These resources would then be available in a webpage via the URL
29 <code>chrome-extension://[PACKAGE ID]/[PATH]</code>, which can be generated with 29 <code>chrome-extension://[PACKAGE ID]/[PATH]</code>, which can be generated with
30 the <a href="http://developer.chrome.com/extensions/extension.html#method-getURL ">extension.getURL</a> method. Whitelisted resources are served with appropriate 30 the <a href="http://developer.chrome.com/extensions/extension#method-getURL">ext ension.getURL</a> method. Whitelisted resources are served with appropriate
31 <a href="http://www.w3.org/TR/cors/">CORS</a> headers, so they're available via 31 <a href="http://www.w3.org/TR/cors/">CORS</a> headers, so they're available via
32 mechanisms like XHR. 32 mechanisms like XHR.
33 </p> 33 </p>
34 34
35 <p> 35 <p>
36 A navigation from a web origin to an extension resource will be blocked unless 36 A navigation from a web origin to an extension resource will be blocked unless
37 the resource is listed as web accessible. Note these corner cases: 37 the resource is listed as web accessible. Note these corner cases:
38 </p> 38 </p>
39 <ul> 39 <ul>
40 <li>When an extension uses the $(ref:webRequest) or $(ref:declarativeWebRequest) 40 <li>When an extension uses the $(ref:webRequest) or $(ref:declarativeWebRequest)
41 APIs to redirect a public resource request to a resource that is not web 41 APIs to redirect a public resource request to a resource that is not web
42 accessible, such request is also blocked.</li> 42 accessible, such request is also blocked.</li>
43 <li>The above holds true even if the resource that is not web accessible is 43 <li>The above holds true even if the resource that is not web accessible is
44 owned by the redirecting extension.</li> 44 owned by the redirecting extension.</li>
45 </ul> 45 </ul>
46 46
47 <p> 47 <p>
48 <a href="http://developer.chrome.com/extensions/content_scripts.html">Content sc ripts</a> themselves do not need to be whitelisted. 48 <a href="http://developer.chrome.com/extensions/content_scripts">Content scripts </a> themselves do not need to be whitelisted.
49 </p> 49 </p>
50 50
51 <p> 51 <p>
52 Prior to manifest version 2 all resources within an extension could be accessed 52 Prior to manifest version 2 all resources within an extension could be accessed
53 from any page on the web. This allowed a malicious website to 53 from any page on the web. This allowed a malicious website to
54 <a href="http://en.wikipedia.org/wiki/Device_fingerprint">fingerprint</a> the 54 <a href="http://en.wikipedia.org/wiki/Device_fingerprint">fingerprint</a> the
55 extensions that a user has installed or exploit vulnerabilities (for example 55 extensions that a user has installed or exploit vulnerabilities (for example
56 <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">XSS bugs</a>) within 56 <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">XSS bugs</a>) within
57 installed extensions. Limiting availability to only resources which are 57 installed extensions. Limiting availability to only resources which are
58 explicitly intended to be web accessible serves to both minimize the available 58 explicitly intended to be web accessible serves to both minimize the available
59 attack surface and protect the privacy of users. 59 attack surface and protect the privacy of users.
60 </p> 60 </p>
61 61
62 <h2 id="availability">Default Availability</h2> 62 <h2 id="availability">Default Availability</h2>
63 63
64 <p> 64 <p>
65 Resources inside of packages using <a href="http://developer.chrome.com/extensio ns/manifest.html#manifest_version"><code>manifest_version</code></a> 65 Resources inside of packages using <a href="http://developer.chrome.com/extensio ns/manifest#manifest_version"><code>manifest_version</code></a>
66 2 or above are <strong>blocked by default</strong>, and must be whitelisted 66 2 or above are <strong>blocked by default</strong>, and must be whitelisted
67 for use via this property. 67 for use via this property.
68 </p> 68 </p>
69 69
70 <p> 70 <p>
71 Resources inside of packages using <code>manifest_version</code> 1 are available 71 Resources inside of packages using <code>manifest_version</code> 1 are available
72 by default, but <em>if</em> you do set this property, then it will be treated as 72 by default, but <em>if</em> you do set this property, then it will be treated as
73 a complete list of all whitelisted resources. Resources not listed will be 73 a complete list of all whitelisted resources. Resources not listed will be
74 blocked. 74 blocked.
75 </p> 75 </p>
OLDNEW
« no previous file with comments | « chrome/common/extensions/docs/templates/articles/manifest/version.html ('k') | chrome/common/extensions/docs/templates/articles/manifestVersion.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698