Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(423)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/common/extensions/docs/templates/articles/manifest/sandbox.html

Issue 2563843002: Restrict app sandbox's CSP to disallow loading web content in them. (Closed)
Patch Set: address comments + update doc Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/browser/extensions/sandboxed_pages_apitest.cc ('k') | chrome/test/data/extensions/api_test/sandboxed_pages_csp/local_frame.html » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/common/extensions/docs/templates/articles/manifest/sandbox.html
diff --git a/chrome/common/extensions/docs/templates/articles/manifest/sandbox.html b/chrome/common/extensions/docs/templates/articles/manifest/sandbox.html
index 39ac817ffd5e8c277f2d4fa9cbdf8ba5c81bb7a5..8c8083e995142646c70a63f6b65257df2f8244d9 100644
--- a/chrome/common/extensions/docs/templates/articles/manifest/sandbox.html
+++ b/chrome/common/extensions/docs/templates/articles/manifest/sandbox.html
@@ -1,6 +1,13 @@
<h1 id="sandbox">Manifest - Sandbox</h1>
<p>
+<b><em>Warning:</em></b> Starting version 57, Chrome will no longer load
Devlin 2016/12/28 16:42:37 nitty nit: starting *in* version 57
lazyboy 2016/12/28 19:14:09 Done.
+external web content or web scripts inside sandboxed pages in favor of
Devlin 2016/12/28 16:42:37 nitty nit: maybe: "Starting in version 57, Chrome
lazyboy 2016/12/28 19:14:09 Done.
+existing secure alternative:
+<a href="https://developer.chrome.com/apps/webview_tag">webview</a>.
+</p>
+
+<p>
Defines an collection of app or extension pages that are to be served
in a sandboxed unique origin, and optionally a Content Security Policy to use
with them. Being in a sandbox has two implications:
@@ -30,7 +37,7 @@ direct access to non-sandboxed pages (it may communicate with them via
]
// content_security_policy is optional.
"content_security_policy":
- "sandbox allow-scripts; script-src https://www.google.com"
+ "sandbox allow-scripts; script-src 'self'"
],
...
}
@@ -38,8 +45,10 @@ direct access to non-sandboxed pages (it may communicate with them via
<p>
If not specified, the default <code>content_security_policy</code> value is
- <code>sandbox allow-scripts allow-forms</code>. You can specify your CSP
- value to restrict the sandbox even further, but it must have the <code>sandbox</code>
+ <code>sandbox allow-scripts allow-forms allow-popups allow-modals;
+ script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';</code>.
+ You can specify your CSP value to restrict the sandbox even further,
+ but it must have the <code>sandbox</code>
directive and may not have the <code>allow-same-origin</code> token (see
Devlin 2016/12/28 16:42:37 maybe "but it must have the sandbox directive, and
lazyboy 2016/12/28 19:14:09 This sentence is talking about directives values o
<a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox">the
HTML5 specification</a> for possible sandbox tokens).
« no previous file with comments | « chrome/browser/extensions/sandboxed_pages_apitest.cc ('k') | chrome/test/data/extensions/api_test/sandboxed_pages_csp/local_frame.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698