| OLD | NEW |
| 1 # Extension Features Files | 1 # Extension Features Files |
| 2 | 2 |
| 3 [TOC] | 3 [TOC] |
| 4 | 4 |
| 5 ## Summary | 5 ## Summary |
| 6 | 6 |
| 7 The Extension features files specify the different requirements for extension | 7 The Extension features files specify the different requirements for extension |
| 8 feature availability. | 8 feature availability. |
| 9 | 9 |
| 10 An **extension feature** can be any component of extension capabilities. Most | 10 An **extension feature** can be any component of extension capabilities. Most |
| (...skipping 270 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 281 often useful to link the crbug next to the id hash, e.g.: | 281 often useful to link the crbug next to the id hash, e.g.: |
| 282 ``` | 282 ``` |
| 283 "whitelist": [ | 283 "whitelist": [ |
| 284 "9A0417016F345C934A1A88F55CA17C05014EEEBA" // crbug.com/<num> | 284 "9A0417016F345C934A1A88F55CA17C05014EEEBA" // crbug.com/<num> |
| 285 ] | 285 ] |
| 286 ``` | 286 ``` |
| 287 | 287 |
| 288 Google employees: please update http://go/chrome-api-whitelist to map hashes | 288 Google employees: please update http://go/chrome-api-whitelist to map hashes |
| 289 back to ids. | 289 back to ids. |
| 290 | 290 |
| 291 ## Feature Contexts |
| 292 |
| 293 A Feature Context is the type of JavaScript context that a feature can be made |
| 294 available in. This allows us to restrict certain features to only being |
| 295 accessible in more secure contexts, or to expose features to contexts outside |
| 296 of extensions. |
| 297 |
| 298 For each of these contexts, an "extension" context can refer to a context of |
| 299 either an app or an extension. |
| 300 |
| 301 ### Blessed Extension Contexts |
| 302 |
| 303 The `blessed_extension` context refers to a JavaScript context running from an |
| 304 extension process. These are typically the most secure JavaScript contexts, as |
| 305 it reduces the likelihood that a compromised web page renderer will have access |
| 306 to secure APIs. |
| 307 |
| 308 Traditionally, only pages with a top-level extension frame (with a |
| 309 `chrome-extension://` scheme), extension popups, and app windows were blessed |
| 310 extension contexts. With [site isolation](https://www.chromium.org/developers/de
sign-documents/site-isolation), |
| 311 extension frames running in web pages are also considered blessed extension |
| 312 contexts, since they are running in the extension process (rather than in the |
| 313 same process as the web page). |
| 314 |
| 315 ### Blessed Web Page Contexts |
| 316 |
| 317 The `blessed_web_page` context refers to a JavaScript context running from a |
| 318 hosted app. These are similar to blessed extension contexts in that they are |
| 319 (partially) isolated from other processes, but are typically more restricted |
| 320 than blessed extension processes, since hosted apps generally have fewer |
| 321 permissions. Note that these contexts are unaffected by the `matches` property. |
| 322 |
| 323 ### Content Script Contexts |
| 324 |
| 325 The `content_script` context refers to a JavaScript context for an extension |
| 326 content script. Since content scripts share a process with (and run on the same |
| 327 content as) web pages, these are considered very insecure contexts. Very few |
| 328 features should be exposed to these contexts. |
| 329 |
| 330 ### Service Worker Contexts |
| 331 |
| 332 The `extension_service_worker` context refers to a JavaScript context for an |
| 333 extension's service worker. An extension can only register a service worker for |
| 334 it's own domain, and these should only be run within an extension process. Thus, |
| 335 these have similar privilege levels to blessed extension processes. |
| 336 |
| 337 ### Web Page Contexts |
| 338 |
| 339 The `web_page` context refers to a JavaScript context for a simple web page, |
| 340 completely separate from extensions. This is the least secure of all contexts, |
| 341 and very few features should be exposed to these contexts. When specifying this |
| 342 context, an accompanying URL pattern should be provided with the `matches` |
| 343 property. |
| 344 |
| 345 ### WebUI Contexts |
| 346 |
| 347 The `webui` context refers to a JavaScript context for a page with WebUI |
| 348 bindings, such as internal chrome pages like chrome://settings or |
| 349 chrome://extensions. These are considered secure contexts, since they are |
| 350 an internal part of chrome. When specifying this context, an accompanying URL |
| 351 pattern should be provided with the `matches` property. |
| 352 |
| 353 ### Unblessed Extension Contexts |
| 354 |
| 355 The `unblessed_extension` context refers to a JavaScript context for an |
| 356 extension frame that is embedded in an external page, like a web page, and |
| 357 runs in the same process as the embedder. Given the limited separation between |
| 358 the (untrusted) embedder and the extension frame, relatively few features are |
| 359 exposed in these contexts. Note that with [site isolation](https://www.chromium.
org/developers/design-documents/site-isolation), |
| 360 extension frames (even those embedded in web pages) run in the trusted |
| 361 extension process, and become blessed extension contexts. |
| 362 |
| 291 ## Compilation | 363 ## Compilation |
| 292 | 364 |
| 293 The feature files are compiled as part of the suite of tools in | 365 The feature files are compiled as part of the suite of tools in |
| 294 //tools/json\_schema\_compiler/. The output is a set of FeatureProviders that | 366 //tools/json\_schema\_compiler/. The output is a set of FeatureProviders that |
| 295 contain a mapping of all features. | 367 contain a mapping of all features. |
| 296 | 368 |
| 297 In addition to being significantly more performant than parsing the JSON files | 369 In addition to being significantly more performant than parsing the JSON files |
| 298 at runtime, this has the added benefit of allowing us to validate at compile | 370 at runtime, this has the added benefit of allowing us to validate at compile |
| 299 time rather than needing a unittest (or allowing incorrect features). | 371 time rather than needing a unittest (or allowing incorrect features). |
| 300 | 372 |
| 301 In theory, invalid features should result in a compilation failure; in practice, | 373 In theory, invalid features should result in a compilation failure; in practice, |
| 302 the compiler is probably missing some cases. | 374 the compiler is probably missing some cases. |
| 303 | 375 |
| 304 ## Still to come | 376 ## Still to come |
| 305 | 377 |
| 306 TODO(devlin): Possibly move documentation for feature contexts, add | 378 TODO(devlin): Add documentation for extension types. Probably also more on |
| 307 documentation for extension types. Probably also more on requirements for | 379 requirements for individual features. |
| 308 individual features. | |
| OLD | NEW |