- add sources.

[platform/framework/web/crosswalk.git] / src / chrome / common / extensions / docs / templates / articles / activeTab.html

<style>
  #active-tab-images {
    margin-top: 1em;
  }
  #active-tab-images tr {
    vertical-align: top;
  }
  #active-tab-images .spacing {
    width: 1em;
  }
  #active-tab-before {
    width: 334px;
  }
  #active-tab-after {
    width: 334px;
  }
</style>

<h1>The activeTab permission</h1>

<p>
The <code>activeTab</code> permission gives an extension temporary access to the currently active tab when the user <em>invokes</em> the extension - for example by clicking its <a href="browserAction.html">browser action</a>. Access to the tab lasts until the tab is navigated or closed.
</p>

<p>
This serves as an alternative for many uses of <code>&lt;all_urls&gt;</code>, but displays <em>no warning message</em> during installation:
</p>

<table id="active-tab-images" class="simple">
  <tr>
    <th>Without activeTab</th>
    <th class="spacing"></th>
    <th>With activeTab</th>
  </tr>
  <tr>
    <td><img id="active-tab-before" src="{{static}}/images/active-tab-before.png"></td>
    <td class="spacing"></td>
    <td><img id="active-tab-after" src="{{static}}/images/active-tab-after.png"></td>
  </tr>
</table>

<h2 id="example">Example</h2>

<p>
See the <a href="samples.html#page-redder">Page Redder</a> sample extension:
</p>

<pre data-filename="manifest.json">
{
  "name": "Page Redder",
  "version": "2.0",
  <b>"permissions": [
    "activeTab"
  ],</b> 
  "background": {
    "scripts": ["background.js"],
    "persistent": false
  },  
  "browser_action": {
    "default_title": "Make this page red"
  },  
  "manifest_version": 2
}
</pre>

<pre data-filename="background.js">
// Called when the user clicks on the browser action.
chrome.browserAction.onClicked.addListener(function(tab) {
  // No tabs or host permissions needed!
  console.log('Turning ' + tab.url + ' red!');
  chrome.tabs.executeScript({
    code: 'document.body.style.backgroundColor="red"'
  }); 
});
</pre>

<h2 id="motivation">Motivation</h2>

<p>
Consider a web clipping extension that has a <a href="browserAction.html">browser action</a> and <a href="contextMenus.html">context menu item</a>. This extension may only really need to access tabs when its browser action is clicked, or when its context menu item is executed.
</p>

<p>
Without <code>activeTab</code>, this extension would need to request full, persistent access to every web site, just so that it could do its work if it happened to be called upon by the user. This is a lot of power to entrust to such a simple extension. And if the extension is ever compromised, the attacker gets access to everything the extension had.
</p>

<p>
In contrast, an extension with the <code>activeTab</code> permission only obtains access to a tab in response to an explicit user gesture. If the extension is compromised the attacker would need to wait for the user to invoke the extension before obtaining access. And that access only lasts until the tab is navigated or closed.
</p>

<h2 id="what-activeTab-allows">What activeTab allows</h2>

<p>
While the <code>activeTab</code> permission is enabled for a tab, an extension can:
<ul>
  <li>Call <code>$ref:tabs.executeScript</code> or <code>$ref:tabs.insertCSS</code> on that tab.
  <li>Get the URL, title, and favicon for that tab via an API that returns a <code>$ref:tabs.Tab</code> object (essentially, <code>activeTab</code> grants the <code><a href="tabs.html#manifest">tabs</a></code> permission temporarily).
</ul>
</p>

<h2 id="invoking-activeTab">Invoking activeTab</h2>

<p>
The following user gestures enable <code>activeTab</code>:
<ul>
  <li>Executing a <a href="browserAction.html">browser action</a>
  <li>Executing a <a href="pageAction.html">page action</a>
  <li>Executing a <a href="contextMenus.html">context menu item</a>
  <li>Executing a keyboard shortcut from the <a href="commands.html">commands API</a>
  <li>Accepting a suggestion from the <a href="omnibox.html">omnibox API</a>
</ul>
</p>