| OLD | NEW |
|---|
| 1 <h1>Cross-Origin XMLHttpRequest</h1> | 1 <h1>Cross-Origin XMLHttpRequest</h1> |
| 2 | 2 |
| 3 | 3 |
| 4 <p id="classSummary"> | 4 <p id="classSummary"> |
| 5 Regular web pages can use the | 5 Regular web pages can use the |
| 6 <a href="http://www.w3.org/TR/XMLHttpRequest/">XMLHttpRequest</a> | 6 <a href="http://www.w3.org/TR/XMLHttpRequest/">XMLHttpRequest</a> |
| 7 object to send and receive data from remote servers, | 7 object to send and receive data from remote servers, |
| 8 but they're limited by the | 8 but they're limited by the |
| 9 <a href="http://en.wikipedia.org/wiki/Same_origin_policy">same origin policy</a>
. | 9 <a href="http://en.wikipedia.org/wiki/Same_origin_policy">same origin policy</a>
. |
| 10 Extensions aren't so limited. | 10 Extensions aren't so limited. |
| (...skipping 17 matching lines...) Expand all Loading... |
| 28 | 28 |
| 29 <p>If the extension attempts to use a security origin other than itself, | 29 <p>If the extension attempts to use a security origin other than itself, |
| 30 say http://www.google.com, | 30 say http://www.google.com, |
| 31 the browser disallows it | 31 the browser disallows it |
| 32 unless the extension has requested the appropriate cross-origin permissions. | 32 unless the extension has requested the appropriate cross-origin permissions. |
| 33 </p> | 33 </p> |
| 34 | 34 |
| 35 <h2 id="requesting-permission">Requesting cross-origin permissions</h2> | 35 <h2 id="requesting-permission">Requesting cross-origin permissions</h2> |
| 36 | 36 |
| 37 <p>By adding hosts or host match patterns (or both) to the | 37 <p>By adding hosts or host match patterns (or both) to the |
| 38 <a href="declare_permissions.html">permissions</a> section of the | 38 <a href="declare_permissions">permissions</a> section of the |
| 39 <a href="manifest.html">manifest</a> file, the extension can request access to | 39 <a href="manifest">manifest</a> file, the extension can request access to |
| 40 remote servers outside of its origin.</p> | 40 remote servers outside of its origin.</p> |
| 41 | 41 |
| 42 <pre data-filename="manifest.json"> | 42 <pre data-filename="manifest.json"> |
| 43 { | 43 { |
| 44 "name": "My extension", | 44 "name": "My extension", |
| 45 ... | 45 ... |
| 46 <b>"permissions": [ | 46 <b>"permissions": [ |
| 47 "http://www.google.com/" | 47 "http://www.google.com/" |
| 48 ]</b>, | 48 ]</b>, |
| 49 ... | 49 ... |
| (...skipping 11 matching lines...) Expand all Loading... |
| 61 <p>Or they can be match patterns, like these:</p> | 61 <p>Or they can be match patterns, like these:</p> |
| 62 | 62 |
| 63 <ul> | 63 <ul> |
| 64 <li> "http://*.google.com/" </li> | 64 <li> "http://*.google.com/" </li> |
| 65 <li> "http://*/" </li> | 65 <li> "http://*/" </li> |
| 66 </ul> | 66 </ul> |
| 67 | 67 |
| 68 <p> | 68 <p> |
| 69 A match pattern of "http://*/" allows HTTP access to all reachable domains. | 69 A match pattern of "http://*/" allows HTTP access to all reachable domains. |
| 70 Note that here, | 70 Note that here, |
| 71 match patterns are similar to <a href="match_patterns.html">content script | 71 match patterns are similar to <a href="match_patterns">content script |
| 72 match patterns</a>, | 72 match patterns</a>, |
| 73 but any path information following the host is ignored.</p> | 73 but any path information following the host is ignored.</p> |
| 74 | 74 |
| 75 <p>Also note that access is granted both by host and by scheme. If an extension | 75 <p>Also note that access is granted both by host and by scheme. If an extension |
| 76 wants both secure and non-secure HTTP access to a given host or set | 76 wants both secure and non-secure HTTP access to a given host or set |
| 77 of hosts, it must declare the permissions separately:</p> | 77 of hosts, it must declare the permissions separately:</p> |
| 78 | 78 |
| 79 <pre data-filename="manifest.json"> | 79 <pre data-filename="manifest.json"> |
| 80 "permissions": [ | 80 "permissions": [ |
| 81 "http://www.google.com/", | 81 "http://www.google.com/", |
| (...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 144 Additionally, be especially careful of resources retrieved via HTTP. If your | 144 Additionally, be especially careful of resources retrieved via HTTP. If your |
| 145 extension is used on a hostile network, an network attacker (aka a <a | 145 extension is used on a hostile network, an network attacker (aka a <a |
| 146 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">"man-in-the-middle"
</a>) | 146 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">"man-in-the-middle"
</a>) |
| 147 could modify the response and, potentially, attack your extension. Instead, | 147 could modify the response and, potentially, attack your extension. Instead, |
| 148 prefer HTTPS whenever possible. | 148 prefer HTTPS whenever possible. |
| 149 </p> | 149 </p> |
| 150 | 150 |
| 151 <h3 id="interaction-with-csp">Interaction with Content Security Policy</h3> | 151 <h3 id="interaction-with-csp">Interaction with Content Security Policy</h3> |
| 152 | 152 |
| 153 <p> | 153 <p> |
| 154 If you modify the default <a href="contentSecurityPolicy.html">Content | 154 If you modify the default <a href="contentSecurityPolicy">Content |
| 155 Security Policy</a> for apps or extensions by adding a | 155 Security Policy</a> for apps or extensions by adding a |
| 156 <code>content_security_policy</code> attribute to your manifest, you'll need to | 156 <code>content_security_policy</code> attribute to your manifest, you'll need to |
| 157 ensure that any hosts to which you'd like to connect are allowed. While the | 157 ensure that any hosts to which you'd like to connect are allowed. While the |
| 158 default policy doesn't restrict connections to hosts, be careful when explicitly | 158 default policy doesn't restrict connections to hosts, be careful when explicitly |
| 159 adding either the <code>connect-src</code> or <code>default-src</code> | 159 adding either the <code>connect-src</code> or <code>default-src</code> |
| 160 directives. | 160 directives. |
| 161 </p> | 161 </p> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 219213007:
Remove .html extension from links (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master