diff options
Diffstat (limited to 'chrome/common/extensions/docs/static/xhr.html')
| -rw-r--r-- | chrome/common/extensions/docs/static/xhr.html | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/chrome/common/extensions/docs/static/xhr.html b/chrome/common/extensions/docs/static/xhr.html index 01d36fe..84cecfc 100644 --- a/chrome/common/extensions/docs/static/xhr.html +++ b/chrome/common/extensions/docs/static/xhr.html @@ -11,6 +11,16 @@ Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.</p> +<p class="note"> +<b>Note:</b> +Content scripts can't directly make cross-origin requests. +However, a content script can +send a message to its parent extension +that asks the extension to make a cross-origin request. +For an example of this technique, see the +<a href="http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/docs/examples/howto/contentscript_xhr">contentscript_xhr example</a>. +</p> + <h2 id="extension-origin">Extension origin</h2> <p>Each running extension exists within its own separate security origin. Without requesting additional privileges, the extension can use @@ -92,7 +102,6 @@ scripting</a>. Specifically, avoid using dangerous APIs such as the below: =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // WARNING! Might be evaluating an evil script! @@ -100,12 +109,12 @@ xhr.onreadystatechange = function() { ... } } +xhr.send(); background.html =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // WARNING! Might be injecting a malicious script! @@ -113,6 +122,7 @@ xhr.onreadystatechange = function() { ... } } +xhr.send(); </pre> <p> Instead, prefer safer APIs that do not run scripts: @@ -121,25 +131,25 @@ Instead, prefer safer APIs that do not run scripts: =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // JSON.parse does not evaluate the attacker's scripts. var resp = JSON.parse(xhr.responseText); } } +xhr.send(); background.html =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // innerText does not let the attacker inject HTML elements. document.getElementById("resp").innerText = xhr.responseText; } } +xhr.send(); </pre> <p> Additionally, be especially careful of resource retrieved via HTTP. If your |