diff options
| author | abarth@chromium.org <abarth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-11-20 16:42:17 +0000 |
|---|---|---|
| committer | abarth@chromium.org <abarth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-11-20 16:42:17 +0000 |
| commit | 5c1b42a28ecd53f8dc4b8e3f43b9818e39f04a60 (patch) | |
| tree | e1af3fc8edad75c9b8f40a8a490e971d080aa3d9 /chrome/common/extensions/docs/static/xhr.html | |
| parent | 45a19e98e7bdd706c80c29ed8e0785cfa0695a72 (diff) | |
| download | chromium_src-5c1b42a28ecd53f8dc4b8e3f43b9818e39f04a60.zip chromium_src-5c1b42a28ecd53f8dc4b8e3f43b9818e39f04a60.tar.gz chromium_src-5c1b42a28ecd53f8dc4b8e3f43b9818e39f04a60.tar.bz2 | |
Add some security considerations to our extension docs.
BUG=26594
TEST=None, just documentation
Review URL: http://codereview.chromium.org/412003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@32614 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/common/extensions/docs/static/xhr.html')
| -rw-r--r-- | chrome/common/extensions/docs/static/xhr.html | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/chrome/common/extensions/docs/static/xhr.html b/chrome/common/extensions/docs/static/xhr.html index 3a10dc8..ebbd56b 100644 --- a/chrome/common/extensions/docs/static/xhr.html +++ b/chrome/common/extensions/docs/static/xhr.html @@ -76,5 +76,73 @@ of hosts, it must declare the permissions separately:</p> ], </pre> +<h2 id="security-considerations">Security considerations</h2> + +<p> +When using resources retrieved via XMLHttpRequest, your background page should +be careful not to fall victim to <a +href="http://en.wikipedia.org/wiki/Cross-site_scripting">cross-site +scripting</a>. Specifically, avoid using dangerous APIs such as the below: +</p> +<pre>background.html +=============== +var xhr = new XMLHttpRequest(); +xhr.open("GET", "http://api.example.com/data.json", true); +xhr.send(); +xhr.onreadystatechange = function() { + if (xhr.readyState == 4) { + // WARNING! Might be evaluating an evil script! + var resp = eval("(" + xhr.responseText + ")"); + ... + } +} + +background.html +=============== +var xhr = new XMLHttpRequest(); +xhr.open("GET", "http://api.example.com/data.json", true); +xhr.send(); +xhr.onreadystatechange = function() { + if (xhr.readyState == 4) { + // WARNING! Might be injecting a malicious script! + document.getElementById("resp").innerHTML = xhr.responseText; + ... + } +} +</pre> +<p> +Instead, prefer safer APIs that do not run scripts: +</p> +<pre>background.html +=============== +var xhr = new XMLHttpRequest(); +xhr.open("GET", "http://api.example.com/data.json", true); +xhr.send(); +xhr.onreadystatechange = function() { + if (xhr.readyState == 4) { + // JSON.parse does not evaluate the attacker's scripts. + var resp = JSON.parse(xhr.responseText); + } +} + +background.html +=============== +var xhr = new XMLHttpRequest(); +xhr.open("GET", "http://api.example.com/data.json", true); +xhr.send(); +xhr.onreadystatechange = function() { + if (xhr.readyState == 4) { + // innerText does not let the attacker inject HTML elements. + document.getElementById("resp").innerText = xhr.responseText; + } +} +</pre> +<p> +Additionally, be especially careful of resource retrieved via HTTP. If your +extension is used on a hostile network, an network attacker (aka a <a +href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">"man-in-the-middle"</a>) +could modify the response and, potentially, attack your extension. Instead, +prefer HTTPS whenever possible. +</p> <!-- END AUTHORED CONTENT --> |