From 220089c14ea56be509e2d9292076decc497bc71f Mon Sep 17 00:00:00 2001 From: "kathyw@chromium.org" Date: Mon, 22 Feb 2010 23:35:23 +0000 Subject: Implement suggestions from Broc Seib: * Update the group URL in all pages * Move xhr.send() down in the xhr.html samples * Add a note to xhr.html about content scripts * Link to Arne's new example of cross-origin xhr for a content script Also update the chrome.* APIs page to point to the dev version of the experimental page. Only the following files have changes besides the group URL change: api_index.html xhr.html messaging.html (added links to examples) content_scripts.html (added link to new example) I'll merge this change into all branches. TBR=erikkay TEST=none BUG=none Review URL: http://codereview.chromium.org/650107 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39664 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome/common/extensions/docs/api_index.html | 42 +++------------------- chrome/common/extensions/docs/api_other.html | 2 +- chrome/common/extensions/docs/autoupdate.html | 2 +- .../common/extensions/docs/background_pages.html | 2 +- chrome/common/extensions/docs/bookmarks.html | 2 +- chrome/common/extensions/docs/browserAction.html | 2 +- chrome/common/extensions/docs/content_scripts.html | 12 ++++--- chrome/common/extensions/docs/devguide.html | 2 +- chrome/common/extensions/docs/docs.html | 4 +-- chrome/common/extensions/docs/events.html | 2 +- chrome/common/extensions/docs/extension.html | 2 +- .../extensions/docs/external_extensions.html | 2 +- chrome/common/extensions/docs/faq.html | 4 +-- chrome/common/extensions/docs/getstarted.html | 6 ++-- chrome/common/extensions/docs/hosting.html | 2 +- chrome/common/extensions/docs/i18n-messages.html | 2 +- chrome/common/extensions/docs/i18n.html | 2 +- chrome/common/extensions/docs/index.html | 4 +-- chrome/common/extensions/docs/manifest.html | 2 +- chrome/common/extensions/docs/match_patterns.html | 2 +- chrome/common/extensions/docs/messaging.html | 23 +++++++++++- chrome/common/extensions/docs/npapi.html | 2 +- chrome/common/extensions/docs/options.html | 2 +- chrome/common/extensions/docs/override.html | 2 +- chrome/common/extensions/docs/overview.html | 2 +- chrome/common/extensions/docs/packaging.html | 2 +- chrome/common/extensions/docs/pageAction.html | 2 +- chrome/common/extensions/docs/samples.html | 2 +- .../common/extensions/docs/static/api_index.html | 42 +++------------------- .../extensions/docs/static/content_scripts.html | 10 ++++-- chrome/common/extensions/docs/static/docs.html | 2 +- chrome/common/extensions/docs/static/faq.html | 2 +- .../common/extensions/docs/static/getstarted.html | 4 +-- chrome/common/extensions/docs/static/index.html | 2 +- .../common/extensions/docs/static/messaging.html | 14 ++++++++ chrome/common/extensions/docs/static/xhr.html | 18 +++++++--- chrome/common/extensions/docs/tabs.html | 2 +- .../extensions/docs/template/api_template.html | 2 +- chrome/common/extensions/docs/themes.html | 2 +- chrome/common/extensions/docs/tut_debugging.html | 2 +- chrome/common/extensions/docs/tutorials.html | 2 +- chrome/common/extensions/docs/windows.html | 2 +- chrome/common/extensions/docs/xhr.html | 20 ++++++++--- 43 files changed, 130 insertions(+), 133 deletions(-) (limited to 'chrome/common/extensions') diff --git a/chrome/common/extensions/docs/api_index.html b/chrome/common/extensions/docs/api_index.html index d9c8ab1..418aa28 100644 --- a/chrome/common/extensions/docs/api_index.html +++ b/chrome/common/extensions/docs/api_index.html @@ -116,7 +116,7 @@ Samples @@ -281,44 +281,12 @@ Here are the supported chrome.* APIs:

Experimental APIs

-We'd like your feedback -on the following experimental APIs: +Google Chrome also has some +experimental APIs, +which give you access to +functionality such as process information and history.

- - -

-Caution: -Don't depend on these experimental APIs. -They might disappear, -and they will change. -Also, the extension gallery doesn't allow you to -upload extensions that use experimental APIs. -

- -

-To use an experimental API, you must specify the "experimental" -permission -in your extension's manifest, like this: -

- -
"permissions": [
-  "experimental",
-  ...
-],
-
- -

-You must also specify the --enable-experimental-extension-apis flag -when you launch the browser. On Windows, you can do this by modifying -the properties of the shortcut that you use to launch Google Chrome. -For example: -

- -
path_to_chrome.exe --enable-experimental-extension-apis
-

API conventions

diff --git a/chrome/common/extensions/docs/api_other.html b/chrome/common/extensions/docs/api_other.html index badeaab..7f941db 100644 --- a/chrome/common/extensions/docs/api_other.html +++ b/chrome/common/extensions/docs/api_other.html @@ -116,7 +116,7 @@ Samples

diff --git a/chrome/common/extensions/docs/autoupdate.html b/chrome/common/extensions/docs/autoupdate.html index a0fcf30..2ecfcdd 100644 --- a/chrome/common/extensions/docs/autoupdate.html +++ b/chrome/common/extensions/docs/autoupdate.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/background_pages.html b/chrome/common/extensions/docs/background_pages.html index acab0db..224bd62 100644 --- a/chrome/common/extensions/docs/background_pages.html +++ b/chrome/common/extensions/docs/background_pages.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/bookmarks.html b/chrome/common/extensions/docs/bookmarks.html index eed2694..25e7d05 100644 --- a/chrome/common/extensions/docs/bookmarks.html +++ b/chrome/common/extensions/docs/bookmarks.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/browserAction.html b/chrome/common/extensions/docs/browserAction.html index c46c136..f9e930a 100644 --- a/chrome/common/extensions/docs/browserAction.html +++ b/chrome/common/extensions/docs/browserAction.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/content_scripts.html b/chrome/common/extensions/docs/content_scripts.html index 9130bec..f014d81 100644 --- a/chrome/common/extensions/docs/content_scripts.html +++ b/chrome/common/extensions/docs/content_scripts.html @@ -116,7 +116,7 @@ Samples @@ -327,7 +327,7 @@ They cannot: Use variables or functions defined by web pages or by other content scripts
  • - Make cross-site XMLHttpRequests + Make cross-site XMLHttpRequests
    • @@ -558,10 +558,14 @@ document.getElementById("someImage").src = imgURL;

    Examples

    -You can find simple examples of communication via messages in the +The +contentscript_xhr example +shows how an extension can perform +cross-site requests for its content script. +You can find other simple examples of communication via messages in the examples/api/messaging directory. -For other examples and for help in viewing the source code, see +For more examples and for help in viewing the source code, see Samples.

    diff --git a/chrome/common/extensions/docs/devguide.html b/chrome/common/extensions/docs/devguide.html index bcd8af9..fe86cfe 100644 --- a/chrome/common/extensions/docs/devguide.html +++ b/chrome/common/extensions/docs/devguide.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/docs.html b/chrome/common/extensions/docs/docs.html index cfb0794..00ae403 100644 --- a/chrome/common/extensions/docs/docs.html +++ b/chrome/common/extensions/docs/docs.html @@ -116,7 +116,7 @@ Samples @@ -281,7 +281,7 @@ Also check out these: Samples
  • - Group: chromium-extensions + Group: chromium-extensions
  • Home: Google Chrome Extensions diff --git a/chrome/common/extensions/docs/events.html b/chrome/common/extensions/docs/events.html index c822e7a..c0459fe 100644 --- a/chrome/common/extensions/docs/events.html +++ b/chrome/common/extensions/docs/events.html @@ -116,7 +116,7 @@ Samples
    • diff --git a/chrome/common/extensions/docs/extension.html b/chrome/common/extensions/docs/extension.html index dec7290..fdb5fde 100644 --- a/chrome/common/extensions/docs/extension.html +++ b/chrome/common/extensions/docs/extension.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/external_extensions.html b/chrome/common/extensions/docs/external_extensions.html index 4d53d72..5937722 100644 --- a/chrome/common/extensions/docs/external_extensions.html +++ b/chrome/common/extensions/docs/external_extensions.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/faq.html b/chrome/common/extensions/docs/faq.html index 0de2285..51a1a89 100644 --- a/chrome/common/extensions/docs/faq.html +++ b/chrome/common/extensions/docs/faq.html @@ -116,7 +116,7 @@ Samples @@ -253,7 +253,7 @@

    If you don't find an answer to your question here, try the -group or the +group or the gallery help.

    diff --git a/chrome/common/extensions/docs/getstarted.html b/chrome/common/extensions/docs/getstarted.html index dde8b71..786dead 100644 --- a/chrome/common/extensions/docs/getstarted.html +++ b/chrome/common/extensions/docs/getstarted.html @@ -116,7 +116,7 @@ Samples @@ -424,8 +424,8 @@ Here are some suggestions for what to do next: debugging tutorial
  • - Keep up to date with the latest news by subscribing to - chromium-extensions + Keep up to date with the latest news: + subscribe to chromium-extensions
  • Look at some diff --git a/chrome/common/extensions/docs/hosting.html b/chrome/common/extensions/docs/hosting.html index 708b114..4db7fcc 100644 --- a/chrome/common/extensions/docs/hosting.html +++ b/chrome/common/extensions/docs/hosting.html @@ -116,7 +116,7 @@ Samples
    • diff --git a/chrome/common/extensions/docs/i18n-messages.html b/chrome/common/extensions/docs/i18n-messages.html index b76c49f..c796dd4 100644 --- a/chrome/common/extensions/docs/i18n-messages.html +++ b/chrome/common/extensions/docs/i18n-messages.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/i18n.html b/chrome/common/extensions/docs/i18n.html index a7ecdc8..63abc61 100644 --- a/chrome/common/extensions/docs/i18n.html +++ b/chrome/common/extensions/docs/i18n.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/index.html b/chrome/common/extensions/docs/index.html index d0a1259..9b051f48 100644 --- a/chrome/common/extensions/docs/index.html +++ b/chrome/common/extensions/docs/index.html @@ -116,7 +116,7 @@ Samples @@ -333,7 +333,7 @@ To keep up with the latest news on extensions, read the Chromium blog and the Google Chrome blog, and subscribe to the -chromium-extensions group. +chromium-extensions group.

    diff --git a/chrome/common/extensions/docs/manifest.html b/chrome/common/extensions/docs/manifest.html index 4d9563e..1185050 100644 --- a/chrome/common/extensions/docs/manifest.html +++ b/chrome/common/extensions/docs/manifest.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/match_patterns.html b/chrome/common/extensions/docs/match_patterns.html index 004b8e4..1b22ab1 100644 --- a/chrome/common/extensions/docs/match_patterns.html +++ b/chrome/common/extensions/docs/match_patterns.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/messaging.html b/chrome/common/extensions/docs/messaging.html index 51b69ca..d85a210 100644 --- a/chrome/common/extensions/docs/messaging.html +++ b/chrome/common/extensions/docs/messaging.html @@ -116,7 +116,7 @@ Samples @@ -223,6 +223,13 @@ h3Name +
  • + Examples +
      +
    1. + h3Name +
      2. +
  • API reference @@ -517,6 +524,20 @@ chrome.tabs.sendRequest(tab.id, {greeting: "hello"}, function(response) { }); +

    Examples

    + +

    +You can find simple examples of communication via messages in the +examples/api/messaging +directory. +Also see the +contentscript_xhr example, +in which a content script and its parent extension exchange messages, +so that the parent extension can perform +cross-site requests on behalf of the content script. +For more examples and for help in viewing the source code, see +Samples. +

    diff --git a/chrome/common/extensions/docs/npapi.html b/chrome/common/extensions/docs/npapi.html index 3bfee9c..b5b21b7 100644 --- a/chrome/common/extensions/docs/npapi.html +++ b/chrome/common/extensions/docs/npapi.html @@ -116,7 +116,7 @@ Samples
    • diff --git a/chrome/common/extensions/docs/options.html b/chrome/common/extensions/docs/options.html index f7ce277..2715dc4 100644 --- a/chrome/common/extensions/docs/options.html +++ b/chrome/common/extensions/docs/options.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/override.html b/chrome/common/extensions/docs/override.html index bed82dc..7aad3e5 100644 --- a/chrome/common/extensions/docs/override.html +++ b/chrome/common/extensions/docs/override.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/overview.html b/chrome/common/extensions/docs/overview.html index 48c2bc9..48051df 100644 --- a/chrome/common/extensions/docs/overview.html +++ b/chrome/common/extensions/docs/overview.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/packaging.html b/chrome/common/extensions/docs/packaging.html index ec987ab..747db5e 100644 --- a/chrome/common/extensions/docs/packaging.html +++ b/chrome/common/extensions/docs/packaging.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/pageAction.html b/chrome/common/extensions/docs/pageAction.html index 0b7d9e3..bc502a7 100644 --- a/chrome/common/extensions/docs/pageAction.html +++ b/chrome/common/extensions/docs/pageAction.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/samples.html b/chrome/common/extensions/docs/samples.html index d68362c..6211980 100644 --- a/chrome/common/extensions/docs/samples.html +++ b/chrome/common/extensions/docs/samples.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/static/api_index.html b/chrome/common/extensions/docs/static/api_index.html index 2b7cf5c..708cf95 100644 --- a/chrome/common/extensions/docs/static/api_index.html +++ b/chrome/common/extensions/docs/static/api_index.html @@ -20,46 +20,12 @@ Here are the supported chrome.* APIs:

    Experimental APIs

    -We'd like your feedback -on the following experimental APIs: +Google Chrome also has some +experimental APIs, +which give you access to +functionality such as process information and history.

    - - -

    -Caution: -Don't depend on these experimental APIs. -They might disappear, -and they will change. -Also, the extension gallery doesn't allow you to -upload extensions that use experimental APIs. -

    - -

    -To use an experimental API, you must specify the "experimental" -permission -in your extension's manifest, like this: -

    - -
    -"permissions": [
-  "experimental",
-  ...
-],
-
    - -

    -You must also specify the --enable-experimental-extension-apis flag -when you launch the browser. On Windows, you can do this by modifying -the properties of the shortcut that you use to launch Google Chrome. -For example: -

    - -
    -path_to_chrome.exe --enable-experimental-extension-apis
    -

    API conventions

    diff --git a/chrome/common/extensions/docs/static/content_scripts.html b/chrome/common/extensions/docs/static/content_scripts.html index 90232f3..2a57220 100644 --- a/chrome/common/extensions/docs/static/content_scripts.html +++ b/chrome/common/extensions/docs/static/content_scripts.html @@ -38,7 +38,7 @@ They cannot: Use variables or functions defined by web pages or by other content scripts

  • - Make cross-site XMLHttpRequests + Make cross-site XMLHttpRequests
    • @@ -273,10 +273,14 @@ document.getElementById("someImage").src = imgURL;

    Examples

    -You can find simple examples of communication via messages in the +The +contentscript_xhr example +shows how an extension can perform +cross-site requests for its content script. +You can find other simple examples of communication via messages in the examples/api/messaging directory. -For other examples and for help in viewing the source code, see +For more examples and for help in viewing the source code, see Samples.

    diff --git a/chrome/common/extensions/docs/static/docs.html b/chrome/common/extensions/docs/static/docs.html index 9cf2f0f..10e406b 100644 --- a/chrome/common/extensions/docs/static/docs.html +++ b/chrome/common/extensions/docs/static/docs.html @@ -34,7 +34,7 @@ Also check out these: Samples
  • - Group: chromium-extensions + Group: chromium-extensions
  • Home: Google Chrome Extensions diff --git a/chrome/common/extensions/docs/static/faq.html b/chrome/common/extensions/docs/static/faq.html index efc8762..88851846 100644 --- a/chrome/common/extensions/docs/static/faq.html +++ b/chrome/common/extensions/docs/static/faq.html @@ -6,7 +6,7 @@

    If you don't find an answer to your question here, try the -group or the +group or the gallery help.

    diff --git a/chrome/common/extensions/docs/static/getstarted.html b/chrome/common/extensions/docs/static/getstarted.html index bc5c3b8..67b8cd8 100644 --- a/chrome/common/extensions/docs/static/getstarted.html +++ b/chrome/common/extensions/docs/static/getstarted.html @@ -169,8 +169,8 @@ Here are some suggestions for what to do next: debugging tutorial
  • - Keep up to date with the latest news by subscribing to - chromium-extensions + Keep up to date with the latest news: + subscribe to chromium-extensions
  • Look at some diff --git a/chrome/common/extensions/docs/static/index.html b/chrome/common/extensions/docs/static/index.html index d7ae85e..50000e7 100644 --- a/chrome/common/extensions/docs/static/index.html +++ b/chrome/common/extensions/docs/static/index.html @@ -86,7 +86,7 @@ To keep up with the latest news on extensions, read the Chromium blog and the Google Chrome blog, and subscribe to the -chromium-extensions group. +chromium-extensions group.

    diff --git a/chrome/common/extensions/docs/static/messaging.html b/chrome/common/extensions/docs/static/messaging.html index 2c4c029..f466318 100644 --- a/chrome/common/extensions/docs/static/messaging.html +++ b/chrome/common/extensions/docs/static/messaging.html @@ -257,3 +257,17 @@ chrome.tabs.sendRequest(tab.id, {greeting: "hello"}, function(response) { }); +

    Examples

    + +

    +You can find simple examples of communication via messages in the +examples/api/messaging +directory. +Also see the +contentscript_xhr example, +in which a content script and its parent extension exchange messages, +so that the parent extension can perform +cross-site requests on behalf of the content script. +For more examples and for help in viewing the source code, see +Samples. +

    diff --git a/chrome/common/extensions/docs/static/xhr.html b/chrome/common/extensions/docs/static/xhr.html index 01d36fe..84cecfc 100644 --- a/chrome/common/extensions/docs/static/xhr.html +++ b/chrome/common/extensions/docs/static/xhr.html @@ -11,6 +11,16 @@ Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.

    +

    +Note: +Content scripts can't directly make cross-origin requests. +However, a content script can +send a message to its parent extension +that asks the extension to make a cross-origin request. +For an example of this technique, see the +contentscript_xhr example. +

    +

    Extension origin

    Each running extension exists within its own separate security origin. Without requesting additional privileges, the extension can use @@ -92,7 +102,6 @@ scripting. Specifically, avoid using dangerous APIs such as the below: =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // WARNING! Might be evaluating an evil script! @@ -100,12 +109,12 @@ xhr.onreadystatechange = function() { ... } } +xhr.send(); background.html =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // WARNING! Might be injecting a malicious script! @@ -113,6 +122,7 @@ xhr.onreadystatechange = function() { ... } } +xhr.send();

    Instead, prefer safer APIs that do not run scripts: @@ -121,25 +131,25 @@ Instead, prefer safer APIs that do not run scripts: =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // JSON.parse does not evaluate the attacker's scripts. var resp = JSON.parse(xhr.responseText); } } +xhr.send(); background.html =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // innerText does not let the attacker inject HTML elements. document.getElementById("resp").innerText = xhr.responseText; } } +xhr.send();

    Additionally, be especially careful of resource retrieved via HTTP. If your diff --git a/chrome/common/extensions/docs/tabs.html b/chrome/common/extensions/docs/tabs.html index 0797d1e..9f309dd 100644 --- a/chrome/common/extensions/docs/tabs.html +++ b/chrome/common/extensions/docs/tabs.html @@ -116,7 +116,7 @@ Samples

    • diff --git a/chrome/common/extensions/docs/template/api_template.html b/chrome/common/extensions/docs/template/api_template.html index 89453d7..0cb8b91 100644 --- a/chrome/common/extensions/docs/template/api_template.html +++ b/chrome/common/extensions/docs/template/api_template.html @@ -103,7 +103,7 @@ Samples diff --git a/chrome/common/extensions/docs/themes.html b/chrome/common/extensions/docs/themes.html index 42e5512..92a436a 100644 --- a/chrome/common/extensions/docs/themes.html +++ b/chrome/common/extensions/docs/themes.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/tut_debugging.html b/chrome/common/extensions/docs/tut_debugging.html index efcfc92..60345d0 100644 --- a/chrome/common/extensions/docs/tut_debugging.html +++ b/chrome/common/extensions/docs/tut_debugging.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/tutorials.html b/chrome/common/extensions/docs/tutorials.html index a9cc396..3ae0d38 100644 --- a/chrome/common/extensions/docs/tutorials.html +++ b/chrome/common/extensions/docs/tutorials.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/windows.html b/chrome/common/extensions/docs/windows.html index 18518c5..eee9750 100644 --- a/chrome/common/extensions/docs/windows.html +++ b/chrome/common/extensions/docs/windows.html @@ -116,7 +116,7 @@ Samples diff --git a/chrome/common/extensions/docs/xhr.html b/chrome/common/extensions/docs/xhr.html index 24fcc3f..820cac0 100644 --- a/chrome/common/extensions/docs/xhr.html +++ b/chrome/common/extensions/docs/xhr.html @@ -116,7 +116,7 @@ Samples @@ -258,6 +258,16 @@ Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.

    +

    +Note: +Content scripts can't directly make cross-origin requests. +However, a content script can +send a message to its parent extension +that asks the extension to make a cross-origin request. +For an example of this technique, see the +contentscript_xhr example. +

    +

    Extension origin

    Each running extension exists within its own separate security origin. Without requesting additional privileges, the extension can use @@ -337,7 +347,6 @@ scripting. Specifically, avoid using dangerous APIs such as the below: =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // WARNING! Might be evaluating an evil script! @@ -345,12 +354,12 @@ xhr.onreadystatechange = function() { ... } } +xhr.send(); background.html =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // WARNING! Might be injecting a malicious script! @@ -358,6 +367,7 @@ xhr.onreadystatechange = function() { ... } } +xhr.send();

    Instead, prefer safer APIs that do not run scripts: @@ -366,25 +376,25 @@ Instead, prefer safer APIs that do not run scripts: =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // JSON.parse does not evaluate the attacker's scripts. var resp = JSON.parse(xhr.responseText); } } +xhr.send(); background.html =============== var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); -xhr.send(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // innerText does not let the attacker inject HTML elements. document.getElementById("resp").innerText = xhr.responseText; } } +xhr.send();

    Additionally, be especially careful of resource retrieved via HTTP. If your -- cgit v1.1