| OLD | NEW |
|---|
| 1 <h1>External Content</h1> | 1 <h1>External Content</h1> |
| 2 | 2 |
| 3 | 3 |
| 4 <p> | 4 <p> |
| 5 The <a href="app_architecture.html#security">Chrome Apps security model</a> disa
llows | 5 The <a href="app_architecture.html#security">Chrome Apps security model</a> disa
llows |
| 6 external content in iframes and | 6 external content in iframes and |
| 7 the use of inline scripting and <code>eval()</code>. | 7 the use of inline scripting and <code>eval()</code>. |
| 8 You can override these restrictions, | 8 You can override these restrictions, |
| 9 but your external content must be isolated from the app. | 9 but your external content must be isolated from the app. |
| 10 </p> | 10 </p> |
| (...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 134 It's a trade-off though: | 134 It's a trade-off though: |
| 135 sandboxed pages can't use the chrome.* APIs. | 135 sandboxed pages can't use the chrome.* APIs. |
| 136 If you need to do things like <code>eval()</code>, | 136 If you need to do things like <code>eval()</code>, |
| 137 go this route to be exempt from CSP, | 137 go this route to be exempt from CSP, |
| 138 but you won't be able to use the cool new stuff. | 138 but you won't be able to use the cool new stuff. |
| 139 </p> | 139 </p> |
| 140 | 140 |
| 141 <h3 id="inline_scripts">Use inline scripts in sandbox</h3> | 141 <h3 id="inline_scripts">Use inline scripts in sandbox</h3> |
| 142 | 142 |
| 143 <p> | 143 <p> |
| 144 Here's a sample sandboxed page | 144 Here's a sample sandboxed page which uses an inline script and <code>eval()</cod
e>: |
| 145 which uses an inline script and <code>eval()</code>: | |
| 146 </p> | 145 </p> |
| 147 | 146 |
| 148 <pre data-filename="sandboxed.html"> | 147 <pre data-filename="sandboxed.html"> |
| 149 <html> | 148 <html> |
| 150 <body> | 149 <body> |
| 151 <h1>Woot</h1> | 150 <h1>Woot</h1> |
| 152 <script> | 151 <script> |
| 153 document.write('I am an inline script.<br>'); | 152 eval('console.log(\'I am an eval-ed inline script.\')'); |
| 154 eval('document.write(\'I am an eval-ed inline script.\');'); | |
| 155 </script> | 153 </script> |
| 156 </body> | 154 </body> |
| 157 </html> | 155 </html> |
| 158 </pre> | 156 </pre> |
| 159 | 157 |
| 160 <h3 id="include_sandbox">Include sandbox in manifest</h3> | 158 <h3 id="include_sandbox">Include sandbox in manifest</h3> |
| 161 | 159 |
| 162 <p> | 160 <p> |
| 163 You need to include the <code>sandbox</code> field in the manifest | 161 You need to include the <code>sandbox</code> field in the manifest |
| 164 and list the app pages to be served in a sandbox: | 162 and list the app pages to be served in a sandbox: |
| (...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 290 | 288 |
| 291 <pre data-filename="sandboxed.html"> | 289 <pre data-filename="sandboxed.html"> |
| 292 var messageHandler = function(e) { | 290 var messageHandler = function(e) { |
| 293 console.log('Background script says hello.', e.data); | 291 console.log('Background script says hello.', e.data); |
| 294 }; | 292 }; |
| 295 | 293 |
| 296 window.addEventListener('message', messageHandler); | 294 window.addEventListener('message', messageHandler); |
| 297 </pre> | 295 </pre> |
| 298 | 296 |
| 299 <p class="backtotop"><a href="#top">Back to top</a></p> | 297 <p class="backtotop"><a href="#top">Back to top</a></p> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 249083005:
Remove document.write reference in sandboxing docs. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src