OLD | NEW |
1 <h1 id="sandbox">Manifest - Sandbox</h1> | 1 <h1 id="sandbox">Manifest - Sandbox</h1> |
2 | 2 |
3 <p> | 3 <p> |
| 4 <b><em>Warning:</em></b> Starting in version 57, Chrome will no longer allow |
| 5 external web content (including embedded frames and scripts) inside sandboxed |
| 6 pages. Please use a |
| 7 <a href="https://developer.chrome.com/apps/webview_tag">webview</a> instead. |
| 8 </p> |
| 9 |
| 10 <p> |
4 Defines an collection of app or extension pages that are to be served | 11 Defines an collection of app or extension pages that are to be served |
5 in a sandboxed unique origin, and optionally a Content Security Policy to use | 12 in a sandboxed unique origin, and optionally a Content Security Policy to use |
6 with them. Being in a sandbox has two implications: | 13 with them. Being in a sandbox has two implications: |
7 </p> | 14 </p> |
8 | 15 |
9 <ol> | 16 <ol> |
10 <li>A sandboxed page will not have access to extension or app APIs, or | 17 <li>A sandboxed page will not have access to extension or app APIs, or |
11 direct access to non-sandboxed pages (it may communicate with them via | 18 direct access to non-sandboxed pages (it may communicate with them via |
12 <code>postMessage()</code>).</li> | 19 <code>postMessage()</code>).</li> |
13 <li> | 20 <li> |
14 <p>A sandboxed page is not subject to the | 21 <p>A sandboxed page is not subject to the |
15 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy">Content
Security Policy | 22 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy">Content
Security Policy |
16 (CSP)</a> used by the rest of the app or extension (it has its own separate | 23 (CSP)</a> used by the rest of the app or extension (it has its own separate |
17 CSP value). This means that, for example, it can use inline script and | 24 CSP value). This means that, for example, it can use inline script and |
18 <code>eval</code>.</p> | 25 <code>eval</code>.</p> |
19 | 26 |
20 <p>For example, here's how to specify that two extension pages are to be | 27 <p>For example, here's how to specify that two extension pages are to be |
21 served in a sandbox with a custom CSP:</p> | 28 served in a sandbox with a custom CSP:</p> |
22 | 29 |
23 <pre data-filename="manifest.json"> | 30 <pre data-filename="manifest.json"> |
24 { | 31 { |
25 ... | 32 ... |
26 "sandbox": { | 33 "sandbox": { |
27 "pages": [ | 34 "pages": [ |
28 "page1.html", | 35 "page1.html", |
29 "directory/page2.html" | 36 "directory/page2.html" |
30 ] | 37 ] |
31 // content_security_policy is optional. | 38 // content_security_policy is optional. |
32 "content_security_policy": | 39 "content_security_policy": |
33 "sandbox allow-scripts; script-src https://www.google.com" | 40 "sandbox allow-scripts; script-src 'self'" |
34 ], | 41 ], |
35 ... | 42 ... |
36 } | 43 } |
37 </pre> | 44 </pre> |
38 | 45 |
39 <p> | 46 <p> |
40 If not specified, the default <code>content_security_policy</code> value is | 47 If not specified, the default <code>content_security_policy</code> value is |
41 <code>sandbox allow-scripts allow-forms</code>. You can specify your CSP | 48 <code>sandbox allow-scripts allow-forms allow-popups allow-modals; |
42 value to restrict the sandbox even further, but it must have the <code>sandbox
</code> | 49 script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';</code>. |
| 50 You can specify your CSP value to restrict the sandbox even further, |
| 51 but it must have the <code>sandbox</code> |
43 directive and may not have the <code>allow-same-origin</code> token (see | 52 directive and may not have the <code>allow-same-origin</code> token (see |
44 <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-ifram
e-element.html#attr-iframe-sandbox">the | 53 <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-ifram
e-element.html#attr-iframe-sandbox">the |
45 HTML5 specification</a> for possible sandbox tokens). | 54 HTML5 specification</a> for possible sandbox tokens). Also, the CSP you |
| 55 specify may not allow loading external web content inside sandboxed pages. |
46 </p> | 56 </p> |
47 </li> | 57 </li> |
48 </ol> | 58 </ol> |
49 | 59 |
50 <p> | 60 <p> |
51 Note that you only need to list pages that you expected to be loaded in | 61 Note that you only need to list pages that you expected to be loaded in |
52 windows or frames. Resources used by sandboxed pages (e.g. stylesheets or | 62 windows or frames. Resources used by sandboxed pages (e.g. stylesheets or |
53 JavaScript source files) do not need to appear in the | 63 JavaScript source files) do not need to appear in the |
54 <code>sandboxed_page</code> list, they will use the sandbox of the page | 64 <code>sandboxed_page</code> list, they will use the sandbox of the page |
55 that embeds them. | 65 that embeds them. |
56 </p> | 66 </p> |
57 | 67 |
58 <p> | 68 <p> |
59 <a href="http://developer.chrome.com/extensions/sandboxingEval">"Using eval in C
hrome Extensions. Safely."</a> | 69 <a href="http://developer.chrome.com/extensions/sandboxingEval">"Using eval in C
hrome Extensions. Safely."</a> |
60 goes into more detail about implementing a sandboxing workflow that enables use | 70 goes into more detail about implementing a sandboxing workflow that enables use |
61 of libraries that would otherwise have issues executing under extension's | 71 of libraries that would otherwise have issues executing under extension's |
62 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy">default C
ontent Security | 72 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy">default C
ontent Security |
63 Policy</a>. | 73 Policy</a>. |
64 </p> | 74 </p> |
65 | 75 |
66 <p> | 76 <p> |
67 Sandboxed page may only be specified when using | 77 Sandboxed page may only be specified when using |
68 <a href="http://developer.chrome.com/extensions/manifest#manifest_version"><code
>manifest_version</code></a> 2 or above. | 78 <a href="http://developer.chrome.com/extensions/manifest#manifest_version"><code
>manifest_version</code></a> 2 or above. |
69 </p> | 79 </p> |
OLD | NEW |