OLD | NEW |
---|---|
1 <h1 id="sandbox">Manifest - Sandbox</h1> | 1 <h1 id="sandbox">Manifest - Sandbox</h1> |
2 | 2 |
3 <p> | 3 <p> |
4 <b><em>Warning:</em></b> Starting version 57, Chrome will no longer load | |
Devlin
2016/12/28 16:42:37
nitty nit: starting *in* version 57
lazyboy
2016/12/28 19:14:09
Done.
| |
5 external web content or web scripts inside sandboxed pages in favor of | |
Devlin
2016/12/28 16:42:37
nitty nit:
maybe:
"Starting in version 57, Chrome
lazyboy
2016/12/28 19:14:09
Done.
| |
6 existing secure alternative: | |
7 <a href="https://developer.chrome.com/apps/webview_tag">webview</a>. | |
8 </p> | |
9 | |
10 <p> | |
4 Defines an collection of app or extension pages that are to be served | 11 Defines an collection of app or extension pages that are to be served |
5 in a sandboxed unique origin, and optionally a Content Security Policy to use | 12 in a sandboxed unique origin, and optionally a Content Security Policy to use |
6 with them. Being in a sandbox has two implications: | 13 with them. Being in a sandbox has two implications: |
7 </p> | 14 </p> |
8 | 15 |
9 <ol> | 16 <ol> |
10 <li>A sandboxed page will not have access to extension or app APIs, or | 17 <li>A sandboxed page will not have access to extension or app APIs, or |
11 direct access to non-sandboxed pages (it may communicate with them via | 18 direct access to non-sandboxed pages (it may communicate with them via |
12 <code>postMessage()</code>).</li> | 19 <code>postMessage()</code>).</li> |
13 <li> | 20 <li> |
14 <p>A sandboxed page is not subject to the | 21 <p>A sandboxed page is not subject to the |
15 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy">Content Security Policy | 22 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy">Content Security Policy |
16 (CSP)</a> used by the rest of the app or extension (it has its own separate | 23 (CSP)</a> used by the rest of the app or extension (it has its own separate |
17 CSP value). This means that, for example, it can use inline script and | 24 CSP value). This means that, for example, it can use inline script and |
18 <code>eval</code>.</p> | 25 <code>eval</code>.</p> |
19 | 26 |
20 <p>For example, here's how to specify that two extension pages are to be | 27 <p>For example, here's how to specify that two extension pages are to be |
21 served in a sandbox with a custom CSP:</p> | 28 served in a sandbox with a custom CSP:</p> |
22 | 29 |
23 <pre data-filename="manifest.json"> | 30 <pre data-filename="manifest.json"> |
24 { | 31 { |
25 ... | 32 ... |
26 "sandbox": { | 33 "sandbox": { |
27 "pages": [ | 34 "pages": [ |
28 "page1.html", | 35 "page1.html", |
29 "directory/page2.html" | 36 "directory/page2.html" |
30 ] | 37 ] |
31 // content_security_policy is optional. | 38 // content_security_policy is optional. |
32 "content_security_policy": | 39 "content_security_policy": |
33 "sandbox allow-scripts; script-src https://www.google.com" | 40 "sandbox allow-scripts; script-src 'self'" |
34 ], | 41 ], |
35 ... | 42 ... |
36 } | 43 } |
37 </pre> | 44 </pre> |
38 | 45 |
39 <p> | 46 <p> |
40 If not specified, the default <code>content_security_policy</code> value is | 47 If not specified, the default <code>content_security_policy</code> value is |
41 <code>sandbox allow-scripts allow-forms</code>. You can specify your CSP | 48 <code>sandbox allow-scripts allow-forms allow-popups allow-modals; |
42 value to restrict the sandbox even further, but it must have the <code>sandbox </code> | 49 script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';</code>. |
50 You can specify your CSP value to restrict the sandbox even further, | |
51 but it must have the <code>sandbox</code> | |
43 directive and may not have the <code>allow-same-origin</code> token (see | 52 directive and may not have the <code>allow-same-origin</code> token (see |
Devlin
2016/12/28 16:42:37
maybe "but it must have the sandbox directive, and
lazyboy
2016/12/28 19:14:09
This sentence is talking about directives values o
| |
44 <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-ifram e-element.html#attr-iframe-sandbox">the | 53 <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-ifram e-element.html#attr-iframe-sandbox">the |
45 HTML5 specification</a> for possible sandbox tokens). | 54 HTML5 specification</a> for possible sandbox tokens). |
46 </p> | 55 </p> |
47 </li> | 56 </li> |
48 </ol> | 57 </ol> |
49 | 58 |
50 <p> | 59 <p> |
51 Note that you only need to list pages that you expected to be loaded in | 60 Note that you only need to list pages that you expected to be loaded in |
52 windows or frames. Resources used by sandboxed pages (e.g. stylesheets or | 61 windows or frames. Resources used by sandboxed pages (e.g. stylesheets or |
53 JavaScript source files) do not need to appear in the | 62 JavaScript source files) do not need to appear in the |
54 <code>sandboxed_page</code> list, they will use the sandbox of the page | 63 <code>sandboxed_page</code> list, they will use the sandbox of the page |
55 that embeds them. | 64 that embeds them. |
56 </p> | 65 </p> |
57 | 66 |
58 <p> | 67 <p> |
59 <a href="http://developer.chrome.com/extensions/sandboxingEval">"Using eval in C hrome Extensions. Safely."</a> | 68 <a href="http://developer.chrome.com/extensions/sandboxingEval">"Using eval in C hrome Extensions. Safely."</a> |
60 goes into more detail about implementing a sandboxing workflow that enables use | 69 goes into more detail about implementing a sandboxing workflow that enables use |
61 of libraries that would otherwise have issues executing under extension's | 70 of libraries that would otherwise have issues executing under extension's |
62 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy">default C ontent Security | 71 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy">default C ontent Security |
63 Policy</a>. | 72 Policy</a>. |
64 </p> | 73 </p> |
65 | 74 |
66 <p> | 75 <p> |
67 Sandboxed page may only be specified when using | 76 Sandboxed page may only be specified when using |
68 <a href="http://developer.chrome.com/extensions/manifest#manifest_version"><code >manifest_version</code></a> 2 or above. | 77 <a href="http://developer.chrome.com/extensions/manifest#manifest_version"><code >manifest_version</code></a> 2 or above. |
69 </p> | 78 </p> |
OLD | NEW |