diff options
Diffstat (limited to 'chrome/common/extensions/docs/xhr.html')
| -rw-r--r-- | chrome/common/extensions/docs/xhr.html | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/chrome/common/extensions/docs/xhr.html b/chrome/common/extensions/docs/xhr.html index 24fcc3f..820cac0 100644 --- a/chrome/common/extensions/docs/xhr.html +++ b/chrome/common/extensions/docs/xhr.html @@ -116,7 +116,7 @@ <a href="samples.html" title="Sample extensions (with source code)">Samples</a> </li> <li id="group_link"> - <a href="http://groups.google.com/group/chromium-extensions" title="Google Chrome Extensions developer forum">Group</a> + <a href="http://groups.google.com/a/chromium.org/group/chromium-extensions" title="Google Chrome Extensions developer forum">Group</a> </li> </ul> </div> <!-- end gc-topnav --> @@ -258,6 +258,16 @@ Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.</p> +<p class="note"> +<b>Note:</b> +Content scripts can't directly make cross-origin requests. +However, a content script can +send a message to its parent extension +that asks the extension to make a cross-origin request. +For an example of this technique, see the +<a href="http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/docs/examples/howto/contentscript_xhr">contentscript_xhr example</a>. +</p> + <h2 id="extension-origin">Extension origin</h2> <p>Each running extension exists within its own separate security origin. Without requesting additional privileges, the extension can use @@ -337,7 +347,6 @@ scripting</a>. Specifically, avoid using dangerous APIs such as the below: =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // WARNING! Might be evaluating an evil script! @@ -345,12 +354,12 @@ xhr.onreadystatechange = function() { ... } } +xhr.send(); background.html =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // WARNING! Might be injecting a malicious script! @@ -358,6 +367,7 @@ xhr.onreadystatechange = function() { ... } } +xhr.send(); </pre> <p> Instead, prefer safer APIs that do not run scripts: @@ -366,25 +376,25 @@ Instead, prefer safer APIs that do not run scripts: =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // JSON.parse does not evaluate the attacker's scripts. var resp = JSON.parse(xhr.responseText); } } +xhr.send(); background.html =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // innerText does not let the attacker inject HTML elements. document.getElementById("resp").innerText = xhr.responseText; } } +xhr.send(); </pre> <p> Additionally, be especially careful of resource retrieved via HTTP. If your |