1 <h1>External Content</h1>
5 The <a href="app_architecture.html#security">Chrome Apps security model</a> disallows
6 external content in iframes and
7 the use of inline scripting and <code>eval()</code>.
8 You can override these restrictions,
9 but your external content must be isolated from the app.
13 Isolated content cannot directly
14 access the app's data or any of the APIs.
15 Use cross-origin XMLHttpRequests
16 and post-messaging to communicate between the event page and sandboxed content
17 and indirectly access the APIs.
22 Want to play with the code?
24 <a href="https://github.com/GoogleChrome/chrome-app-samples/tree/master/sandbox">sandbox</a> sample.
27 <h2 id="external">Referencing external resources</h2>
30 The <a href="contentSecurityPolicy.html">Content Security Policy</a> used by apps disallows
31 the use of many kinds of remote URLs, so you can't directly reference external
32 images, stylesheets, or fonts from an app page. Instead, you can use use
33 cross-origin XMLHttpRequests to fetch these resources,
34 and then serve them via <code>blob:</code> URLs.
37 <h3 id="manifest">Manifest requirement</h3>
40 To be able to do cross-origin XMLHttpRequests, you'll need to add a permission
41 for the remote URL's host:
44 <pre data-filename="manifest.json">
47 "https://supersweetdomainbutnotcspfriendly.com/"
51 <h3 id="cross-origin">Cross-origin XMLHttpRequest</h3>
54 Fetch the remote URL into the app and serve its contents as a <code>blob:</code>
59 var xhr = new XMLHttpRequest();
60 xhr.open('GET', 'https://supersweetdomainbutnotcspfriendly.com/image.png', true);
61 xhr.responseType = 'blob';
62 xhr.onload = function(e) {
63 var img = document.createElement('img');
64 img.src = window.webkitURL.createObjectURL(this.response);
65 document.body.appendChild(img);
71 <p>You may want to <a href="offline_apps.html#saving-locally">save</a>
72 these resources locally, so that they are available offline.</p>
74 <h2 id="webview">Embed external web pages</h2>
78 Want to play with the code? Check out the
79 <a href="https://github.com/GoogleChrome/chrome-app-samples/tree/master/browser">browser</a>
84 The <code>webview</code> tag allows you to embed external web content in your
85 app, for example, a web page. It replaces iframes that point to remote URLs,
86 which are disabled inside Chrome Apps. Unlike iframes, the
87 <code>webview</code> tag runs in a separate process. This means that an exploit
88 inside of it will still be isolated and won't be able to gain elevated
89 privileges. Further, since its storage (cookies, etc.) is isolated from the app,
90 there is no way for the web content to access any of the app's data.
93 <h3 id="webview_element">Add webview element</h3>
96 Your <code>webview</code> element must include the URL to the source content
97 and specify its dimensions.
100 <pre data-filename="browser.html">
101 <webview src="http://news.google.com/" width="640" height="480"></webview>
104 <h3 id="properties">Update properties</h3>
107 To dynamically change the <code>src</code>, <code>width</code> and
108 <code>height</code> properties of a <code>webview</code> tag, you can either
109 set those properties directly on the JavaScript object, or use the
110 <code>setAttribute</code> DOM function.
113 <pre data-filename="browser.js">
114 document.querySelector('#mywebview').src =
115 'http://blog.chromium.org/';
117 document.querySelector('#mywebview').setAttribute(
118 'src', 'http://blog.chromium.org/');
121 <h2 id="sandboxing">Sandbox local content</h2>
124 Sandboxing allows specified pages
125 to be served in a sandboxed, unique origin.
126 These pages are then exempt from their Content Security Policy.
127 Sandboxed pages can use iframes, inline scripting,
128 and <code>eval()</code>.
129 Check out the manifest field description for
130 <a href="manifest/sandbox.html">sandbox</a>.
134 It's a trade-off though:
135 sandboxed pages can't use the chrome.* APIs.
136 If you need to do things like <code>eval()</code>,
137 go this route to be exempt from CSP,
138 but you won't be able to use the cool new stuff.
141 <h3 id="inline_scripts">Use inline scripts in sandbox</h3>
144 Here's a sample sandboxed page
145 which uses an inline script and <code>eval()</code>:
148 <pre data-filename="sandboxed.html">
153 document.write('I am an inline script.<br>');
154 eval('document.write(\'I am an eval-ed inline script.\');');
160 <h3 id="include_sandbox">Include sandbox in manifest</h3>
163 You need to include the <code>sandbox</code> field in the manifest
164 and list the app pages to be served in a sandbox:
167 <pre data-filename="manifest.json">
169 "pages": ["sandboxed.html"]
173 <h3 id="opening_sandbox">Opening a sandboxed page in a window</h3>
176 Just like any other app pages,
177 you can create a window that the sandboxed page opens in.
178 Here's a sample that creates two windows,
179 one for the main app window that isn't sandboxed,
180 and one for the sandboxed page:
185 <a href="https://code.google.com/p/chromium/issues/detail?id=154662">issue 154662</a>
186 is a bug when using sandbox pages to create windows.
187 The effect is that an error "Uncaught TypeError: Cannot call method
188 'initializeAppWindow' of undefined" is output to the developer console
189 and that the app.window.create call does not call the callback function
190 with a window object. However, the sandbox page is created as a new window.
193 <pre data-filename="background.js">
194 chrome.app.runtime.onLaunched.addListener(function() {
195 chrome.app.window.create('window.html', {
204 chrome.app.window.create('sandboxed.html', {
215 <h3 id="embedding_sandbox">Embedding a sandboxed page in an app page</h3>
217 <p>Sandboxed pages can also be embedded within another app page
218 using an <code>iframe</code>:</p>
220 <pre data-filename="window.html">
226 <p>I am normal app window.</p>
228 <iframe src="sandboxed.html" width="300" height="200"></iframe>
234 <h2 id="postMessage">Sending messages to sandboxed pages</h2>
237 There are two parts to sending a message:
238 you need to post a message from the sender page/window,
239 and listen for messages on the receiving page/window.
242 <h3 id="post_message">Post message</h3>
245 You can use <code>postMessage</code> to communicate
246 between your app and sandboxed content.
247 Here's a sample background script
248 that posts a message to the sandboxed page it
252 <pre data-filename="background.js">
255 chrome.app.runtime.onLaunched.addListener(function() {
256 chrome.app.window.create('sandboxed.html', {
263 myWin.contentWindow.postMessage('Just wanted to say hey.', '*');
269 Generally speaking on the web,
270 you want to specify the exact origin
271 from where the message is sent.
272 Chrome Apps have no access
273 to the unique origin of sandboxed content,
274 so you can only whitelist all origins
275 as acceptable origins ('*').
276 On the receiving end,
277 you generally want to check the origin;
278 but since Chrome Apps content is contained,
281 see <a href="https://developer.mozilla.org/en/DOM/window.postMessage">window.postMessage</a>.
284 <h3 id="listen_message">Listen for message</h3>
287 Here's a sample message receiver
288 that gets added to your sandboxed page:
291 <pre data-filename="sandboxed.html">
292 var messageHandler = function(e) {
293 console.log('Background script says hello.', e.data);
296 window.addEventListener('message', messageHandler);
299 <p class="backtotop"><a href="#top">Back to top</a></p>
projects / platform / framework / web / crosswalk.git / blob