1 <h1>External Content</h1>
5 The <a href="app_architecture.html#security">Chrome Apps security model</a> disallows
6 external content in iframes and
7 the use of inline scripting and <code>eval()</code>.
8 You can override these restrictions,
9 but your external content must be isolated from the app.
13 Isolated content cannot directly
14 access the app's data or any of the APIs.
15 Use cross-origin XMLHttpRequests
16 and post-messaging to communicate between the event page and sandboxed content
17 and indirectly access the APIs.
22 Want to play with the code?
24 <a href="https://github.com/GoogleChrome/chrome-app-samples/tree/master/sandbox">sandbox</a> sample.
27 <h2 id="external">Referencing external resources</h2>
30 The <a href="contentSecurityPolicy.html">Content Security Policy</a> used by apps disallows
31 the use of many kinds of remote URLs, so you can't directly reference external
32 images, stylesheets, or fonts from an app page. Instead, you can use use
33 cross-origin XMLHttpRequests to fetch these resources,
34 and then serve them via <code>blob:</code> URLs.
37 <h3 id="manifest">Manifest requirement</h3>
40 To be able to do cross-origin XMLHttpRequests, you'll need to add a permission
41 for the remote URL's host:
44 <pre data-filename="manifest.json">
47 "https://supersweetdomainbutnotcspfriendly.com/"
51 <h3 id="cross-origin">Cross-origin XMLHttpRequest</h3>
54 Fetch the remote URL into the app and serve its contents as a <code>blob:</code>
59 var xhr = new XMLHttpRequest();
60 xhr.open('GET', 'https://supersweetdomainbutnotcspfriendly.com/image.png', true);
61 xhr.responseType = 'blob';
62 xhr.onload = function(e) {
63 var img = document.createElement('img');
64 img.src = window.URL.createObjectURL(this.response);
65 document.body.appendChild(img);
71 <p>You may want to <a href="offline_apps.html#saving-locally">save</a>
72 these resources locally, so that they are available offline.</p>
74 <h2 id="webview">Embed external web pages</h2>
78 Want to play with the code? Check out the
79 <a href="https://github.com/GoogleChrome/chrome-app-samples/tree/master/browser">browser</a>
84 The <code>webview</code> tag allows you to embed external web content in your
85 app, for example, a web page. It replaces iframes that point to remote URLs,
86 which are disabled inside Chrome Apps. Unlike iframes, the
87 <code>webview</code> tag runs in a separate process. This means that an exploit
88 inside of it will still be isolated and won't be able to gain elevated
89 privileges. Further, since its storage (cookies, etc.) is isolated from the app,
90 there is no way for the web content to access any of the app's data.
93 <h3 id="webview_element">Add webview element</h3>
96 Your <code>webview</code> element must include the URL to the source content
97 and specify its dimensions.
100 <pre data-filename="browser.html">
101 <webview src="http://news.google.com/" width="640" height="480"></webview>
104 <h3 id="properties">Update properties</h3>
107 To dynamically change the <code>src</code>, <code>width</code> and
108 <code>height</code> properties of a <code>webview</code> tag, you can either
109 set those properties directly on the JavaScript object, or use the
110 <code>setAttribute</code> DOM function.
113 <pre data-filename="browser.js">
114 document.querySelector('#mywebview').src =
115 'http://blog.chromium.org/';
117 document.querySelector('#mywebview').setAttribute(
118 'src', 'http://blog.chromium.org/');
121 <h2 id="sandboxing">Sandbox local content</h2>
124 Sandboxing allows specified pages
125 to be served in a sandboxed, unique origin.
126 These pages are then exempt from their Content Security Policy.
127 Sandboxed pages can use iframes, inline scripting,
128 and <code>eval()</code>.
129 Check out the manifest field description for
130 <a href="manifest/sandbox.html">sandbox</a>.
134 It's a trade-off though:
135 sandboxed pages can't use the chrome.* APIs.
136 If you need to do things like <code>eval()</code>,
137 go this route to be exempt from CSP,
138 but you won't be able to use the cool new stuff.
141 <h3 id="inline_scripts">Use inline scripts in sandbox</h3>
144 Here's a sample sandboxed page which uses an inline script and <code>eval()</code>:
147 <pre data-filename="sandboxed.html">
152 eval('console.log(\'I am an eval-ed inline script.\')');
158 <h3 id="include_sandbox">Include sandbox in manifest</h3>
161 You need to include the <code>sandbox</code> field in the manifest
162 and list the app pages to be served in a sandbox:
165 <pre data-filename="manifest.json">
167 "pages": ["sandboxed.html"]
171 <h3 id="opening_sandbox">Opening a sandboxed page in a window</h3>
174 Just like any other app pages,
175 you can create a window that the sandboxed page opens in.
176 Here's a sample that creates two windows,
177 one for the main app window that isn't sandboxed,
178 and one for the sandboxed page:
183 <a href="https://code.google.com/p/chromium/issues/detail?id=154662">issue 154662</a>
184 is a bug when using sandbox pages to create windows.
185 The effect is that an error "Uncaught TypeError: Cannot call method
186 'initializeAppWindow' of undefined" is output to the developer console
187 and that the app.window.create call does not call the callback function
188 with a window object. However, the sandbox page is created as a new window.
191 <pre data-filename="background.js">
192 chrome.app.runtime.onLaunched.addListener(function() {
193 chrome.app.window.create('window.html', {
202 chrome.app.window.create('sandboxed.html', {
213 <h3 id="embedding_sandbox">Embedding a sandboxed page in an app page</h3>
215 <p>Sandboxed pages can also be embedded within another app page
216 using an <code>iframe</code>:</p>
218 <pre data-filename="window.html">
224 <p>I am normal app window.</p>
226 <iframe src="sandboxed.html" width="300" height="200"></iframe>
232 <h2 id="postMessage">Sending messages to sandboxed pages</h2>
235 There are two parts to sending a message:
236 you need to post a message from the sender page/window,
237 and listen for messages on the receiving page/window.
240 <h3 id="post_message">Post message</h3>
243 You can use <code>postMessage</code> to communicate
244 between your app and sandboxed content.
245 Here's a sample background script
246 that posts a message to the sandboxed page it
250 <pre data-filename="background.js">
253 chrome.app.runtime.onLaunched.addListener(function() {
254 chrome.app.window.create('sandboxed.html', {
261 myWin.contentWindow.postMessage('Just wanted to say hey.', '*');
267 Generally speaking on the web,
268 you want to specify the exact origin
269 from where the message is sent.
270 Chrome Apps have no access
271 to the unique origin of sandboxed content,
272 so you can only whitelist all origins
273 as acceptable origins ('*').
274 On the receiving end,
275 you generally want to check the origin;
276 but since Chrome Apps content is contained,
279 see <a href="https://developer.mozilla.org/en/DOM/window.postMessage">window.postMessage</a>.
282 <h3 id="listen_message">Listen for message</h3>
285 Here's a sample message receiver
286 that gets added to your sandboxed page:
289 <pre data-filename="sandboxed.html">
290 var messageHandler = function(e) {
291 console.log('Background script says hello.', e.data);
294 window.addEventListener('message', messageHandler);
297 <p class="backtotop"><a href="#top">Back to top</a></p>