From b4fc237f35254e3ea15eecd8d5539df00bb61650 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Tue, 27 Sep 2022 09:13:49 -0400 Subject: [PATCH 01/33] manifest key submission Submission for Author and CSP key information pages --- .../extensions/mv3/manifest/author/index.md | 6 ++ .../manifest/content_security_policy/index.md | 59 +++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 site/en/docs/extensions/mv3/manifest/author/index.md create mode 100644 site/en/docs/extensions/mv3/manifest/content_security_policy/index.md diff --git a/site/en/docs/extensions/mv3/manifest/author/index.md b/site/en/docs/extensions/mv3/manifest/author/index.md new file mode 100644 index 000000000000..7647648e361f --- /dev/null +++ b/site/en/docs/extensions/mv3/manifest/author/index.md @@ -0,0 +1,6 @@ +# Manifest - Author + +## + +An optional Manifest key containing a String for a valid email address. If provided, the address should belong to the publisher of the Chrome extension on the Chrome Web Store. +For an individual, this can be a personal email address, while businesses may use a contact address. \ No newline at end of file diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md new file mode 100644 index 000000000000..fed84cab2fae --- /dev/null +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -0,0 +1,59 @@ +# Manifest - Content Security Policy + +## + +An optional Manifest key defining restrictions on the sources, scripts, and objects able to be used by an extension. Within this manifest key, separate policies can be defined for both extension pages and sandboxed extension pages. + +The "extension pages" policy applies to page and worker contexts in the extension. This would include the extension popup, background worker, and tabs with html pages or iframes that were opened by the extension. The sandbox policy applies to all pages specified as a [sandbox page](https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/) in the manifest. + +## Default Policy + +If the [content security policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is not defined by the user in the manifest, the default properties will be used for both extension pages and sandboxed extension pages. +These defaults are equivalent to specifying the following policies in your manifest: + +``` +{ + // ... + "content_security_policy": { + "extension_pages": "script-src 'self'; object-src 'self';", + "sandbox": "sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self'; +" + } + // ... +``` + +} + +In this case, the extension will only load local scripts and objects from its own packaged resources. WebAssembly will be disabled, and the extension will not run in-line Javascript or be able to evaluate strings as executable code. If a sandbox page is added, it will have more relaxed permissions for evaluating scripts from outside the extension. + +## Minimum and customized Content Security Policies + +Developers may add or remove rules for their extension, or use the minimum required content security policy, to fit the needs of their project. + +### Extension Pages Policy + +The minimum allowable content security policy for extension pages is as follows: + +``` +... +"content_security_policy": { + "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self';" +} +... +``` + +Developers can then add further restrictions as needed, such as disabling WebAssembly, and adding specific security policies to only allow scripts and objects from certain domains and subdomains. +enable potentially unsafe practices such as the use of eval() to run code. +### Sandbox Pages Policy + +The default content security policy for sandbox pages is as follows: + +``` +... +"content_security_policy": { + "sandbox": sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self'; +} +... +``` + +The default policy for sandboxed pages is much more lenient than with extension pages, as the sandbox page does not have access to extension APIs, or direct access to non-sandboxed pages. The sandbox content security policy can only be further restricted from its default state. \ No newline at end of file From 30ffc0bd1d44befc6647087b4d2b4b454bfe68e8 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Tue, 27 Sep 2022 09:25:10 -0400 Subject: [PATCH 02/33] Update index.md --- site/en/docs/extensions/mv3/manifest/author/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/author/index.md b/site/en/docs/extensions/mv3/manifest/author/index.md index 7647648e361f..94b9ddaddded 100644 --- a/site/en/docs/extensions/mv3/manifest/author/index.md +++ b/site/en/docs/extensions/mv3/manifest/author/index.md @@ -1,4 +1,4 @@ -# Manifest - Author +## Manifest - Author ## From e511e791af93c183ef63c0ae9dea0e8df2577ecc Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Tue, 27 Sep 2022 09:39:58 -0400 Subject: [PATCH 03/33] Update index.md --- .../mv3/manifest/content_security_policy/index.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index fed84cab2fae..8696d6b482ab 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -1,17 +1,17 @@ -# Manifest - Content Security Policy +## Manifest - Content Security Policy ## An optional Manifest key defining restrictions on the sources, scripts, and objects able to be used by an extension. Within this manifest key, separate policies can be defined for both extension pages and sandboxed extension pages. -The "extension pages" policy applies to page and worker contexts in the extension. This would include the extension popup, background worker, and tabs with html pages or iframes that were opened by the extension. The sandbox policy applies to all pages specified as a [sandbox page](https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/) in the manifest. +The "extension pages" policy applies to page and worker contexts in the extension. This would include the extension popup, background worker, and tabs with html pages or iframes that were opened by the extension. The sandbox policy applies to all pages specified as a [sandbox page](/docs/extensions/mv3/manifest/sandbox/) in the manifest. ## Default Policy -If the [content security policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is not defined by the user in the manifest, the default properties will be used for both extension pages and sandboxed extension pages. +If the [content security policy](https://developer.mozilla.org/docs/Web/HTTP/CSP) is not defined by the user in the manifest, the default properties will be used for both extension pages and sandboxed extension pages. These defaults are equivalent to specifying the following policies in your manifest: -``` +```json { // ... "content_security_policy": { @@ -20,9 +20,10 @@ These defaults are equivalent to specifying the following policies in your manif " } // ... +} ``` -} + In this case, the extension will only load local scripts and objects from its own packaged resources. WebAssembly will be disabled, and the extension will not run in-line Javascript or be able to evaluate strings as executable code. If a sandbox page is added, it will have more relaxed permissions for evaluating scripts from outside the extension. @@ -34,7 +35,7 @@ Developers may add or remove rules for their extension, or use the minimum requi The minimum allowable content security policy for extension pages is as follows: -``` +```json ... "content_security_policy": { "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self';" @@ -48,7 +49,7 @@ enable potentially unsafe practices such as the use of eval() to run code. The default content security policy for sandbox pages is as follows: -``` +```json ... "content_security_policy": { "sandbox": sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self'; From f1e83ac3f2d32c66aa7a458466596d747229597e Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Mon, 3 Oct 2022 10:37:03 -0400 Subject: [PATCH 04/33] Added meta-data to files --- site/en/docs/extensions/mv3/manifest/author/index.md | 7 +++++++ .../mv3/manifest/content_security_policy/index.md | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/site/en/docs/extensions/mv3/manifest/author/index.md b/site/en/docs/extensions/mv3/manifest/author/index.md index 94b9ddaddded..3291d2c4f3d9 100644 --- a/site/en/docs/extensions/mv3/manifest/author/index.md +++ b/site/en/docs/extensions/mv3/manifest/author/index.md @@ -1,3 +1,10 @@ +--- +layout: "layouts/doc-post.njk" +title: "Manifest - Author" +date: 2022-10-03 +updated: 2022-10-03 +description: Reference documentation for the author name property of manifest.json. +--- ## Manifest - Author ## diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index 8696d6b482ab..2f72471b42b8 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -1,3 +1,10 @@ +--- +layout: "layouts/doc-post.njk" +title: "Manifest - Content Security Policy" +date: 2022-10-03 +updated: 2022-10-03 +description: Reference documentation for the content security policy properties of manifest.json. +--- ## Manifest - Content Security Policy ## From 13bb158dee0f07bf5869f858332b7e613c265096 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Thu, 20 Oct 2022 10:53:58 -0400 Subject: [PATCH 05/33] Fixed headers Adjusted the title headers based on Joe's feedback --- site/en/docs/extensions/mv3/manifest/author/index.md | 3 --- .../extensions/mv3/manifest/content_security_policy/index.md | 3 --- 2 files changed, 6 deletions(-) diff --git a/site/en/docs/extensions/mv3/manifest/author/index.md b/site/en/docs/extensions/mv3/manifest/author/index.md index 3291d2c4f3d9..8a4162c545b4 100644 --- a/site/en/docs/extensions/mv3/manifest/author/index.md +++ b/site/en/docs/extensions/mv3/manifest/author/index.md @@ -5,9 +5,6 @@ date: 2022-10-03 updated: 2022-10-03 description: Reference documentation for the author name property of manifest.json. --- -## Manifest - Author - -## An optional Manifest key containing a String for a valid email address. If provided, the address should belong to the publisher of the Chrome extension on the Chrome Web Store. For an individual, this can be a personal email address, while businesses may use a contact address. \ No newline at end of file diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index 2f72471b42b8..6aa9ebff30f0 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -5,9 +5,6 @@ date: 2022-10-03 updated: 2022-10-03 description: Reference documentation for the content security policy properties of manifest.json. --- -## Manifest - Content Security Policy - -## An optional Manifest key defining restrictions on the sources, scripts, and objects able to be used by an extension. Within this manifest key, separate policies can be defined for both extension pages and sandboxed extension pages. From 14640ed9d8b0568db9be67d7143c69c49bc0318f Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 28 Oct 2022 10:48:03 -0400 Subject: [PATCH 06/33] Automation and input-component key pages --- site/en/docs/extensions/mv3/manifest/automation/index.md | 3 +++ site/en/docs/extensions/mv3/manifest/input_component/index.md | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 site/en/docs/extensions/mv3/manifest/automation/index.md create mode 100644 site/en/docs/extensions/mv3/manifest/input_component/index.md diff --git a/site/en/docs/extensions/mv3/manifest/automation/index.md b/site/en/docs/extensions/mv3/manifest/automation/index.md new file mode 100644 index 000000000000..64dc426a2fa3 --- /dev/null +++ b/site/en/docs/extensions/mv3/manifest/automation/index.md @@ -0,0 +1,3 @@ +# Manifest - Automation + +An optional manifest key only publicly accessible on the Dev channel. Including this manifest key allows access to the [chrome.automation API](https://developer.chrome.com/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. \ No newline at end of file diff --git a/site/en/docs/extensions/mv3/manifest/input_component/index.md b/site/en/docs/extensions/mv3/manifest/input_component/index.md new file mode 100644 index 000000000000..73616734a534 --- /dev/null +++ b/site/en/docs/extensions/mv3/manifest/input_component/index.md @@ -0,0 +1,4 @@ +# Manifest - input_components + +An optional Manifest key enabling the use of the [input.ime API](https://developer.chrome.com/docs/extensions/reference/input_ime/) (Input Method Editor) for use with ChromeOS. This allows your extension to handle keystrokes, set the composition, and open assistive windows. +Including the key in the extension manifest is done under Permissions. \ No newline at end of file From 88f3346751348ea41eaf83e86ddb5e878049eaf8 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 28 Oct 2022 10:54:56 -0400 Subject: [PATCH 07/33] metadata --- .../docs/extensions/mv3/manifest/automation/index.md | 11 +++++++++-- .../extensions/mv3/manifest/input_component/index.md | 10 ++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/site/en/docs/extensions/mv3/manifest/automation/index.md b/site/en/docs/extensions/mv3/manifest/automation/index.md index 64dc426a2fa3..fddba0853017 100644 --- a/site/en/docs/extensions/mv3/manifest/automation/index.md +++ b/site/en/docs/extensions/mv3/manifest/automation/index.md @@ -1,3 +1,10 @@ -# Manifest - Automation +--- +layout: "layouts/doc-post.njk" +title: "Manifest - automation" +date: 2022-10-28 +updated: +description: Reference documentation for the automation property of manifest.json. +--- -An optional manifest key only publicly accessible on the Dev channel. Including this manifest key allows access to the [chrome.automation API](https://developer.chrome.com/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. \ No newline at end of file + +An optional manifest key only publicly accessible on the Dev channel. Including this manifest key allows access to the [chrome.automation API](/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. \ No newline at end of file diff --git a/site/en/docs/extensions/mv3/manifest/input_component/index.md b/site/en/docs/extensions/mv3/manifest/input_component/index.md index 73616734a534..58c86d0a7a70 100644 --- a/site/en/docs/extensions/mv3/manifest/input_component/index.md +++ b/site/en/docs/extensions/mv3/manifest/input_component/index.md @@ -1,4 +1,10 @@ -# Manifest - input_components +--- +layout: "layouts/doc-post.njk" +title: "Manifest - input_component" +date: 2022-10-28 +updated: +description: Reference documentation for the input_component property of manifest.json. +--- -An optional Manifest key enabling the use of the [input.ime API](https://developer.chrome.com/docs/extensions/reference/input_ime/) (Input Method Editor) for use with ChromeOS. This allows your extension to handle keystrokes, set the composition, and open assistive windows. +An optional Manifest key enabling the use of the [input.ime API](/docs/extensions/reference/input_ime/) (Input Method Editor) for use with ChromeOS. This allows your extension to handle keystrokes, set the composition, and open assistive windows. Including the key in the extension manifest is done under Permissions. \ No newline at end of file From 3de8ee6291bad226252463c97d58d2a31b58b192 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Thu, 10 Nov 2022 09:13:29 -0500 Subject: [PATCH 08/33] Update site/en/docs/extensions/mv3/manifest/automation/index.md Co-authored-by: Simeon Vincent --- site/en/docs/extensions/mv3/manifest/automation/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/automation/index.md b/site/en/docs/extensions/mv3/manifest/automation/index.md index fddba0853017..ca9dc76fddc3 100644 --- a/site/en/docs/extensions/mv3/manifest/automation/index.md +++ b/site/en/docs/extensions/mv3/manifest/automation/index.md @@ -6,5 +6,4 @@ updated: description: Reference documentation for the automation property of manifest.json. --- - An optional manifest key only publicly accessible on the Dev channel. Including this manifest key allows access to the [chrome.automation API](/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. \ No newline at end of file From 84869181de574258faa7bccde5c677257c6b6658 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Thu, 10 Nov 2022 09:15:05 -0500 Subject: [PATCH 09/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index 6aa9ebff30f0..7472fb24c58f 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -13,6 +13,7 @@ The "extension pages" policy applies to page and worker contexts in the extensio ## Default Policy If the [content security policy](https://developer.mozilla.org/docs/Web/HTTP/CSP) is not defined by the user in the manifest, the default properties will be used for both extension pages and sandboxed extension pages. + These defaults are equivalent to specifying the following policies in your manifest: ```json From c7ef1d370bbeb679450cd439493bfd214316dfb3 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Thu, 10 Nov 2022 09:15:57 -0500 Subject: [PATCH 10/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index 7472fb24c58f..eac021a76895 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -62,4 +62,4 @@ The default content security policy for sandbox pages is as follows: ... ``` -The default policy for sandboxed pages is much more lenient than with extension pages, as the sandbox page does not have access to extension APIs, or direct access to non-sandboxed pages. The sandbox content security policy can only be further restricted from its default state. \ No newline at end of file +The default policy for sandboxed pages is much more lenient than with extension pages, as the sandbox page does not have access to extension APIs, or direct access to non-sandboxed pages. The sandbox content security policy can be customized as desired. \ No newline at end of file From 2205ed5e42c3d95fbce00a5168c896af39c46b0b Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Thu, 10 Nov 2022 09:16:42 -0500 Subject: [PATCH 11/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index eac021a76895..d6a511bef43e 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -38,7 +38,7 @@ Developers may add or remove rules for their extension, or use the minimum requi ### Extension Pages Policy -The minimum allowable content security policy for extension pages is as follows: +Chrome enforces a minimum content security policy for extension pages. It is equivalent to specifying the following policy in your manifest: ```json ... From 5a45a59f346ecc017f305612403c4efab6f0e041 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Thu, 10 Nov 2022 09:18:24 -0500 Subject: [PATCH 12/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../mv3/manifest/content_security_policy/index.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index d6a511bef43e..b73ddb341a40 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -48,8 +48,11 @@ Chrome enforces a minimum content security policy for extension pages. It is equ ... ``` -Developers can then add further restrictions as needed, such as disabling WebAssembly, and adding specific security policies to only allow scripts and objects from certain domains and subdomains. -enable potentially unsafe practices such as the use of eval() to run code. +The `extension_pages` policy cannot be relaxed beyond this minimum value. In other words, developers cannot add the `'unsafe-eval'` expression to the `script-src` directive in order to call `eval()` in extension page or worker contexts. Attempting to load an extension with such a CSP will cause Chrome to throw the following error at install time: + +``` +'content_security_policy.extension_pages': Insecure CSP value "'unsafe-eval'" in directive 'script-src'. +``` ### Sandbox Pages Policy The default content security policy for sandbox pages is as follows: From e3179c3589c02543057790a3f80195a544fb01ea Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Thu, 10 Nov 2022 09:18:52 -0500 Subject: [PATCH 13/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../mv3/manifest/content_security_policy/index.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index b73ddb341a40..b8a02c730d55 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -58,11 +58,13 @@ The `extension_pages` policy cannot be relaxed beyond this minimum value. In oth The default content security policy for sandbox pages is as follows: ```json -... -"content_security_policy": { - "sandbox": sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self'; +{ + // ... + "content_security_policy": { + "sandbox": "sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';" + } + // ... } -... ``` The default policy for sandboxed pages is much more lenient than with extension pages, as the sandbox page does not have access to extension APIs, or direct access to non-sandboxed pages. The sandbox content security policy can be customized as desired. \ No newline at end of file From d84d74cfd1f0cced75208332c00576ea1fc2812f Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Thu, 10 Nov 2022 09:38:12 -0500 Subject: [PATCH 14/33] Implemented feedback --- site/en/docs/extensions/mv3/manifest/author/index.md | 3 +-- site/en/docs/extensions/mv3/manifest/automation/index.md | 2 +- .../extensions/mv3/manifest/content_security_policy/index.md | 2 +- site/en/docs/extensions/mv3/manifest/input_component/index.md | 3 +-- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/site/en/docs/extensions/mv3/manifest/author/index.md b/site/en/docs/extensions/mv3/manifest/author/index.md index 8a4162c545b4..707639179d7a 100644 --- a/site/en/docs/extensions/mv3/manifest/author/index.md +++ b/site/en/docs/extensions/mv3/manifest/author/index.md @@ -6,5 +6,4 @@ updated: 2022-10-03 description: Reference documentation for the author name property of manifest.json. --- -An optional Manifest key containing a String for a valid email address. If provided, the address should belong to the publisher of the Chrome extension on the Chrome Web Store. -For an individual, this can be a personal email address, while businesses may use a contact address. \ No newline at end of file +An optional Manifest key containing a String for a valid email address. If provided, the address should belong to the publisher of the Chrome extension on the Chrome Web Store. For an individual, this can be a personal email address, while businesses may use a contact address. \ No newline at end of file diff --git a/site/en/docs/extensions/mv3/manifest/automation/index.md b/site/en/docs/extensions/mv3/manifest/automation/index.md index ca9dc76fddc3..caa27739a46b 100644 --- a/site/en/docs/extensions/mv3/manifest/automation/index.md +++ b/site/en/docs/extensions/mv3/manifest/automation/index.md @@ -6,4 +6,4 @@ updated: description: Reference documentation for the automation property of manifest.json. --- -An optional manifest key only publicly accessible on the Dev channel. Including this manifest key allows access to the [chrome.automation API](/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. \ No newline at end of file +An optional manifest key only publicly accessible on the Chrome 109 canary [dev channel](www.chromium.org/getting-involved/dev-channel/#how-do-i-choose-which-channel-to-use). Including this manifest key allows access to the [chrome.automation API](/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. \ No newline at end of file diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index b8a02c730d55..cec7e221bd1d 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -50,7 +50,7 @@ Chrome enforces a minimum content security policy for extension pages. It is equ The `extension_pages` policy cannot be relaxed beyond this minimum value. In other words, developers cannot add the `'unsafe-eval'` expression to the `script-src` directive in order to call `eval()` in extension page or worker contexts. Attempting to load an extension with such a CSP will cause Chrome to throw the following error at install time: -``` +```json 'content_security_policy.extension_pages': Insecure CSP value "'unsafe-eval'" in directive 'script-src'. ``` ### Sandbox Pages Policy diff --git a/site/en/docs/extensions/mv3/manifest/input_component/index.md b/site/en/docs/extensions/mv3/manifest/input_component/index.md index 58c86d0a7a70..751fc6a87e54 100644 --- a/site/en/docs/extensions/mv3/manifest/input_component/index.md +++ b/site/en/docs/extensions/mv3/manifest/input_component/index.md @@ -6,5 +6,4 @@ updated: description: Reference documentation for the input_component property of manifest.json. --- -An optional Manifest key enabling the use of the [input.ime API](/docs/extensions/reference/input_ime/) (Input Method Editor) for use with ChromeOS. This allows your extension to handle keystrokes, set the composition, and open assistive windows. -Including the key in the extension manifest is done under Permissions. \ No newline at end of file +An optional Manifest key enabling the use of the [input.ime API](/docs/extensions/reference/input_ime/) (Input Method Editor) for use with ChromeOS. This allows your extension to handle keystrokes, set the composition, and open assistive windows. Including the key in the extension manifest is done under Permissions. \ No newline at end of file From 182eae48701ab5d1fde415f06499a1c01f318780 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Mon, 14 Nov 2022 08:32:00 -0500 Subject: [PATCH 15/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index cec7e221bd1d..40ef761ff888 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -16,6 +16,10 @@ If the [content security policy](https://developer.mozilla.org/docs/Web/HTTP/CSP These defaults are equivalent to specifying the following policies in your manifest: +{# This is statically defined in Chromium source. +- https://source.chromium.org/chromium/chromium/src/+/main:extensions/common/manifest_handlers/csp_info.cc?q=kDefaultMV3CSP +-https://source.chromium.org/chromium/chromium/src/+/main:extensions/common/manifest_handlers/csp_info.cc?q=kDefaultSandboxedPageContentSecurityPolicy +#} ```json { // ... From b9f0caec6d082439a171eda8df5a1749f4b7f062 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Mon, 14 Nov 2022 09:08:43 -0500 Subject: [PATCH 16/33] Update index.md --- site/en/docs/extensions/mv3/manifest/author/index.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/author/index.md b/site/en/docs/extensions/mv3/manifest/author/index.md index 707639179d7a..7ad533ad0062 100644 --- a/site/en/docs/extensions/mv3/manifest/author/index.md +++ b/site/en/docs/extensions/mv3/manifest/author/index.md @@ -6,4 +6,12 @@ updated: 2022-10-03 description: Reference documentation for the author name property of manifest.json. --- -An optional Manifest key containing a String for a valid email address. If provided, the address should belong to the publisher of the Chrome extension on the Chrome Web Store. For an individual, this can be a personal email address, while businesses may use a contact address. \ No newline at end of file +An optional Manifest key containing a String for a valid email address. If provided, the address should belong to the publisher of the Chrome extension on the Chrome Web Store. For an individual, this can be a personal email address, while businesses may use a contact address. + +```json +{ + // ... + "author": "name", + // ... +} +``` \ No newline at end of file From 7e7e0195f9d2c75bb97ecdb82565708199d7e696 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Tue, 15 Nov 2022 10:15:58 -0500 Subject: [PATCH 17/33] Update index.md --- site/en/docs/extensions/mv3/manifest/author/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/author/index.md b/site/en/docs/extensions/mv3/manifest/author/index.md index 7ad533ad0062..e3f8bbfb57cf 100644 --- a/site/en/docs/extensions/mv3/manifest/author/index.md +++ b/site/en/docs/extensions/mv3/manifest/author/index.md @@ -11,7 +11,7 @@ An optional Manifest key containing a String for a valid email address. If provi ```json { // ... - "author": "name", + "author": "example@email.com", // ... } ``` \ No newline at end of file From e9a14dd6799ae531613e0a3e3449573c48418569 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Tue, 15 Nov 2022 10:30:51 -0500 Subject: [PATCH 18/33] Update index.md --- .../docs/extensions/mv3/manifest/automation/index.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/automation/index.md b/site/en/docs/extensions/mv3/manifest/automation/index.md index caa27739a46b..013a4cc132a4 100644 --- a/site/en/docs/extensions/mv3/manifest/automation/index.md +++ b/site/en/docs/extensions/mv3/manifest/automation/index.md @@ -6,4 +6,12 @@ updated: description: Reference documentation for the automation property of manifest.json. --- -An optional manifest key only publicly accessible on the Chrome 109 canary [dev channel](www.chromium.org/getting-involved/dev-channel/#how-do-i-choose-which-channel-to-use). Including this manifest key allows access to the [chrome.automation API](/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. \ No newline at end of file +An optional manifest key only publicly accessible on the Chrome 109 canary [dev channel](www.chromium.org/getting-involved/dev-channel/#how-do-i-choose-which-channel-to-use). Including this manifest key allows access to the [chrome.automation API](/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. You can specify a list of URL patterns for which this extension may request an automation tree. If not specified, automation permission will be granted for the sites for which the extension has a [host permission](/extensions/declare_permissions#host-permissions) or [activeTab permission](/extensions/declare_permissions#activeTab). + +```json +{ + // ... + "automation": ["https://www.exampleurl.com"], + // ... +} +``` \ No newline at end of file From 4ee2d23778df7b6489f3903b8a3a51a0233751eb Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 18 Nov 2022 08:53:08 -0500 Subject: [PATCH 19/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index 40ef761ff888..adc66efb3e05 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -33,7 +33,6 @@ These defaults are equivalent to specifying the following policies in your manif ``` - In this case, the extension will only load local scripts and objects from its own packaged resources. WebAssembly will be disabled, and the extension will not run in-line Javascript or be able to evaluate strings as executable code. If a sandbox page is added, it will have more relaxed permissions for evaluating scripts from outside the extension. ## Minimum and customized Content Security Policies From d9089b8a3c5ea733c8bc3551cd7e7b38d89cd090 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 18 Nov 2022 08:53:42 -0500 Subject: [PATCH 20/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index adc66efb3e05..1ed30a36c3a7 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -32,7 +32,6 @@ These defaults are equivalent to specifying the following policies in your manif } ``` - In this case, the extension will only load local scripts and objects from its own packaged resources. WebAssembly will be disabled, and the extension will not run in-line Javascript or be able to evaluate strings as executable code. If a sandbox page is added, it will have more relaxed permissions for evaluating scripts from outside the extension. ## Minimum and customized Content Security Policies From f478563c87a06c2b104fde927b25eefbca524db4 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 18 Nov 2022 08:54:03 -0500 Subject: [PATCH 21/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index 1ed30a36c3a7..636bbe56b6cf 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -25,8 +25,7 @@ These defaults are equivalent to specifying the following policies in your manif // ... "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self';", - "sandbox": "sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self'; -" + "sandbox": "sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';" } // ... } From d5ce42cc78602add6e3e3e522f1ba6389789a1dd Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 18 Nov 2022 08:54:47 -0500 Subject: [PATCH 22/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index 636bbe56b6cf..e2fdff210e16 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -41,6 +41,9 @@ Developers may add or remove rules for their extension, or use the minimum requi Chrome enforces a minimum content security policy for extension pages. It is equivalent to specifying the following policy in your manifest: +{# This is statically defined in Chromium source. +- https://source.chromium.org/chromium/chromium/src/+/main:extensions/common/manifest_handlers/csp_info.cc?q=kMinimumMV3CSP +#} ```json ... "content_security_policy": { From beb3e10dfbaed86f6b25d892d8bead815e57d6f1 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 18 Nov 2022 08:55:06 -0500 Subject: [PATCH 23/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../mv3/manifest/content_security_policy/index.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index e2fdff210e16..c6d53a64ccdb 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -45,11 +45,13 @@ Chrome enforces a minimum content security policy for extension pages. It is equ - https://source.chromium.org/chromium/chromium/src/+/main:extensions/common/manifest_handlers/csp_info.cc?q=kMinimumMV3CSP #} ```json -... -"content_security_policy": { +{ + // ... + "content_security_policy": { "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self';" + } + // ... } -... ``` The `extension_pages` policy cannot be relaxed beyond this minimum value. In other words, developers cannot add the `'unsafe-eval'` expression to the `script-src` directive in order to call `eval()` in extension page or worker contexts. Attempting to load an extension with such a CSP will cause Chrome to throw the following error at install time: From 3a85f001694ddb4f3e87dd559befb41b76af4b05 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 18 Nov 2022 19:18:36 -0500 Subject: [PATCH 24/33] Update site/en/docs/extensions/mv3/manifest/automation/index.md Co-authored-by: Simeon Vincent --- site/en/docs/extensions/mv3/manifest/automation/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/automation/index.md b/site/en/docs/extensions/mv3/manifest/automation/index.md index 013a4cc132a4..af94d45f5852 100644 --- a/site/en/docs/extensions/mv3/manifest/automation/index.md +++ b/site/en/docs/extensions/mv3/manifest/automation/index.md @@ -6,7 +6,7 @@ updated: description: Reference documentation for the automation property of manifest.json. --- -An optional manifest key only publicly accessible on the Chrome 109 canary [dev channel](www.chromium.org/getting-involved/dev-channel/#how-do-i-choose-which-channel-to-use). Including this manifest key allows access to the [chrome.automation API](/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. You can specify a list of URL patterns for which this extension may request an automation tree. If not specified, automation permission will be granted for the sites for which the extension has a [host permission](/extensions/declare_permissions#host-permissions) or [activeTab permission](/extensions/declare_permissions#activeTab). +An optional manifest key only publicly accessible on [dev builds](www.chromium.org/getting-involved/dev-channel/#how-do-i-choose-which-channel-to-use). Including this manifest key allows access to the [chrome.automation API](/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. You can specify a list of URL patterns for which this extension may request an automation tree. If not specified, automation permission will be granted for the sites for which the extension has a [host permission](/extensions/declare_permissions#host-permissions) or [activeTab permission](/extensions/declare_permissions#activeTab). ```json { From 95910bb45301429cd04dc0edfd90618c343f6390 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 18 Nov 2022 19:19:05 -0500 Subject: [PATCH 25/33] Update site/en/docs/extensions/mv3/manifest/automation/index.md Co-authored-by: Simeon Vincent --- site/en/docs/extensions/mv3/manifest/automation/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/automation/index.md b/site/en/docs/extensions/mv3/manifest/automation/index.md index af94d45f5852..a97cb8451e34 100644 --- a/site/en/docs/extensions/mv3/manifest/automation/index.md +++ b/site/en/docs/extensions/mv3/manifest/automation/index.md @@ -11,7 +11,7 @@ An optional manifest key only publicly accessible on [dev builds](www.chromium.o ```json { // ... - "automation": ["https://www.exampleurl.com"], + "automation": ["https://www.exampleurl.com"], // ... } ``` \ No newline at end of file From 57b8f578df8f75ca88db599b8bed35a2ec9b2780 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 18 Nov 2022 19:26:22 -0500 Subject: [PATCH 26/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index c6d53a64ccdb..9a70326a1469 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -6,7 +6,7 @@ updated: 2022-10-03 description: Reference documentation for the content security policy properties of manifest.json. --- -An optional Manifest key defining restrictions on the sources, scripts, and objects able to be used by an extension. Within this manifest key, separate policies can be defined for both extension pages and sandboxed extension pages. +An optional Manifest key defining restrictions on the sources, scripts, and objects able to be used by an extension. Within this manifest key, separate optional policies can be defined for both extension pages and sandboxed extension pages. The "extension pages" policy applies to page and worker contexts in the extension. This would include the extension popup, background worker, and tabs with html pages or iframes that were opened by the extension. The sandbox policy applies to all pages specified as a [sandbox page](/docs/extensions/mv3/manifest/sandbox/) in the manifest. From 454856fe8a6ea2190f44388cb7acf2652f27d3f8 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 18 Nov 2022 19:26:44 -0500 Subject: [PATCH 27/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index 9a70326a1469..c62e172eb8e2 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -54,7 +54,7 @@ Chrome enforces a minimum content security policy for extension pages. It is equ } ``` -The `extension_pages` policy cannot be relaxed beyond this minimum value. In other words, developers cannot add the `'unsafe-eval'` expression to the `script-src` directive in order to call `eval()` in extension page or worker contexts. Attempting to load an extension with such a CSP will cause Chrome to throw the following error at install time: +The `extension_pages` policy cannot be relaxed beyond this minimum value. In other words, you cannot add other script sources to directives, such as adding `'unsafe-eval'` to `script-src`. If you add a disallowed source to your extension's policy, Chrome will throw an error like this at install time: ```json 'content_security_policy.extension_pages': Insecure CSP value "'unsafe-eval'" in directive 'script-src'. From 9a43a619c348c5688c049ba4d827716c2a47e123 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 18 Nov 2022 19:27:16 -0500 Subject: [PATCH 28/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../mv3/manifest/content_security_policy/index.md | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index c62e172eb8e2..d9d3671aeed9 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -61,16 +61,4 @@ The `extension_pages` policy cannot be relaxed beyond this minimum value. In oth ``` ### Sandbox Pages Policy -The default content security policy for sandbox pages is as follows: - -```json -{ - // ... - "content_security_policy": { - "sandbox": "sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';" - } - // ... -} -``` - The default policy for sandboxed pages is much more lenient than with extension pages, as the sandbox page does not have access to extension APIs, or direct access to non-sandboxed pages. The sandbox content security policy can be customized as desired. \ No newline at end of file From 64b229e5f3c8027624b4bc0b8365c5ca2f3cf252 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Fri, 18 Nov 2022 19:27:48 -0500 Subject: [PATCH 29/33] Update site/en/docs/extensions/mv3/manifest/input_component/index.md Co-authored-by: Simeon Vincent --- site/en/docs/extensions/mv3/manifest/input_component/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/input_component/index.md b/site/en/docs/extensions/mv3/manifest/input_component/index.md index 751fc6a87e54..4c77f1660db2 100644 --- a/site/en/docs/extensions/mv3/manifest/input_component/index.md +++ b/site/en/docs/extensions/mv3/manifest/input_component/index.md @@ -6,4 +6,4 @@ updated: description: Reference documentation for the input_component property of manifest.json. --- -An optional Manifest key enabling the use of the [input.ime API](/docs/extensions/reference/input_ime/) (Input Method Editor) for use with ChromeOS. This allows your extension to handle keystrokes, set the composition, and open assistive windows. Including the key in the extension manifest is done under Permissions. \ No newline at end of file +An optional Manifest key enabling the use of the [`input.ime` API](/docs/extensions/reference/input_ime/) (Input Method Editor) for use with ChromeOS. This allows your extension to handle keystrokes, set the composition, and open assistive windows. Developers must also declare the `"input"` permission in the extension's `"permissions"` array. \ No newline at end of file From 4526373cbd0e44b49ca0e00e6faf97ca64f399b7 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Tue, 13 Dec 2022 11:38:40 -0500 Subject: [PATCH 30/33] Update site/en/docs/extensions/mv3/manifest/author/index.md Co-authored-by: Simeon Vincent --- site/en/docs/extensions/mv3/manifest/author/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/author/index.md b/site/en/docs/extensions/mv3/manifest/author/index.md index e3f8bbfb57cf..27bd4d520f48 100644 --- a/site/en/docs/extensions/mv3/manifest/author/index.md +++ b/site/en/docs/extensions/mv3/manifest/author/index.md @@ -11,7 +11,9 @@ An optional Manifest key containing a String for a valid email address. If provi ```json { // ... - "author": "example@email.com", + "author": { + "email": "user@example.com" + }, // ... } ``` \ No newline at end of file From 8f0bc0ad53cd7000b20386a1340cebe0bc73ce56 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Tue, 13 Dec 2022 11:43:19 -0500 Subject: [PATCH 31/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index d9d3671aeed9..98e183e7ff2b 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -6,7 +6,7 @@ updated: 2022-10-03 description: Reference documentation for the content security policy properties of manifest.json. --- -An optional Manifest key defining restrictions on the sources, scripts, and objects able to be used by an extension. Within this manifest key, separate optional policies can be defined for both extension pages and sandboxed extension pages. +An optional manifest key defining restrictions on the scripts, styles, and other resources an extension can use. Within this manifest key, separate optional policies can be defined for both extension pages and sandboxed extension pages. The "extension pages" policy applies to page and worker contexts in the extension. This would include the extension popup, background worker, and tabs with html pages or iframes that were opened by the extension. The sandbox policy applies to all pages specified as a [sandbox page](/docs/extensions/mv3/manifest/sandbox/) in the manifest. From c417aedaebd20205eaec92cbc6f8b762145872b0 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Tue, 13 Dec 2022 11:44:22 -0500 Subject: [PATCH 32/33] Update site/en/docs/extensions/mv3/manifest/content_security_policy/index.md Co-authored-by: Simeon Vincent --- .../extensions/mv3/manifest/content_security_policy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md index 98e183e7ff2b..77c75b15b2e0 100644 --- a/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md +++ b/site/en/docs/extensions/mv3/manifest/content_security_policy/index.md @@ -8,7 +8,7 @@ description: Reference documentation for the content security policy properties An optional manifest key defining restrictions on the scripts, styles, and other resources an extension can use. Within this manifest key, separate optional policies can be defined for both extension pages and sandboxed extension pages. -The "extension pages" policy applies to page and worker contexts in the extension. This would include the extension popup, background worker, and tabs with html pages or iframes that were opened by the extension. The sandbox policy applies to all pages specified as a [sandbox page](/docs/extensions/mv3/manifest/sandbox/) in the manifest. +The "extension pages" policy applies to page and worker contexts in the extension. This would include the extension popup, background worker, and tabs with HTML pages or iframes that were opened by the extension. The sandbox policy applies to all pages specified as a [sandbox page](/docs/extensions/mv3/manifest/sandbox/) in the manifest. ## Default Policy From a67477e8970464c15ff6d1860c4739d160dbb279 Mon Sep 17 00:00:00 2001 From: IanStanion-google <112102430+IanStanion-google@users.noreply.github.com> Date: Tue, 3 Jan 2023 09:05:19 -0500 Subject: [PATCH 33/33] Added additional detail per final reviews --- .../extensions/mv3/manifest/author/index.md | 2 +- .../mv3/manifest/automation/index.md | 16 ++++++++++-- .../mv3/manifest/input_component/index.md | 26 ++++++++++++++++++- 3 files changed, 40 insertions(+), 4 deletions(-) diff --git a/site/en/docs/extensions/mv3/manifest/author/index.md b/site/en/docs/extensions/mv3/manifest/author/index.md index 27bd4d520f48..69e404574284 100644 --- a/site/en/docs/extensions/mv3/manifest/author/index.md +++ b/site/en/docs/extensions/mv3/manifest/author/index.md @@ -6,7 +6,7 @@ updated: 2022-10-03 description: Reference documentation for the author name property of manifest.json. --- -An optional Manifest key containing a String for a valid email address. If provided, the address should belong to the publisher of the Chrome extension on the Chrome Web Store. For an individual, this can be a personal email address, while businesses may use a contact address. +An optional manifest key that takes an object with an "email" key (see the example below). This is the email address of the extension author. When publishing a CRX file to the Chrome Web Store, this string MUST match the email address of the account used to publish the extension. ```json { diff --git a/site/en/docs/extensions/mv3/manifest/automation/index.md b/site/en/docs/extensions/mv3/manifest/automation/index.md index a97cb8451e34..eeba6b2c6393 100644 --- a/site/en/docs/extensions/mv3/manifest/automation/index.md +++ b/site/en/docs/extensions/mv3/manifest/automation/index.md @@ -6,12 +6,24 @@ updated: description: Reference documentation for the automation property of manifest.json. --- -An optional manifest key only publicly accessible on [dev builds](www.chromium.org/getting-involved/dev-channel/#how-do-i-choose-which-channel-to-use). Including this manifest key allows access to the [chrome.automation API](/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. You can specify a list of URL patterns for which this extension may request an automation tree. If not specified, automation permission will be granted for the sites for which the extension has a [host permission](/extensions/declare_permissions#host-permissions) or [activeTab permission](/extensions/declare_permissions#activeTab). +An optional manifest key only publicly accessible on [dev builds](www.chromium.org/getting-involved/dev-channel/#how-do-i-choose-which-channel-to-use). Including this manifest key allows access to the [chrome.automation API](/docs/extensions/reference/automation/), exposing access to the automation (accessibility) tree for the browser, which can be used to programmatically interact with a page by examining names, roles, and states, listening for events, and performing actions on nodes. The key accepts an object with the following properties: ```desktop```, ```interact```, and ```matches```(see the table below). If no matches are specified, automation permission will be granted on sites for which the extension has a [host permission](/extensions/declare_permissions#host-permissions) or [activeTab permission](/extensions/declare_permissions#activeTab). + +| Property | Type | Description | +| --- | --- | :-- | +| `desktop` | boolean | Used to gate access to `getDesktop()` and accessibility events related to the desktop. | +| `interact` | boolean | Returns the list of hosts that this extension can request an automation tree from. | +| `matches` | array of string URLs| Determines whether the extension is allowed interactive access (true) or read-only access (false) to the automation tree. | ```json { // ... - "automation": ["https://www.exampleurl.com"], + "automation": { + "desktop": true, + "interact": true, + "matches": [ + "www.google.com" + ] + } // ... } ``` \ No newline at end of file diff --git a/site/en/docs/extensions/mv3/manifest/input_component/index.md b/site/en/docs/extensions/mv3/manifest/input_component/index.md index 4c77f1660db2..4156572f9b37 100644 --- a/site/en/docs/extensions/mv3/manifest/input_component/index.md +++ b/site/en/docs/extensions/mv3/manifest/input_component/index.md @@ -6,4 +6,28 @@ updated: description: Reference documentation for the input_component property of manifest.json. --- -An optional Manifest key enabling the use of the [`input.ime` API](/docs/extensions/reference/input_ime/) (Input Method Editor) for use with ChromeOS. This allows your extension to handle keystrokes, set the composition, and open assistive windows. Developers must also declare the `"input"` permission in the extension's `"permissions"` array. \ No newline at end of file +An optional Manifest key enabling the use of the [`input.ime` API](/docs/extensions/reference/input_ime/) (Input Method Editor) for use with ChromeOS. This allows your extension to handle keystrokes, set the composition, and open assistive windows. Developers must also declare the `"input"` permission in the extension's `"permissions"` array. +The key accepts an array of objects: ```name```, ```id```, ```language```, ```layouts```, ```input_view```, and ```options_page``` (Refer to the table below). + +| Property | Type | Description | +| --- | --- | :-- | +| `name` | string | Required name of the input component object. | +| `id` | string | Optional component object id. | +| `language` | string (or array of strings)| Optional specified language or list of applicable languages. Examples: "en", ["en", "pt"] | +| `layouts` | string (or array of strings)| Optional list of input methods. Note that ChromeOS only supports one layout per input method. If multiple layouts are specified, selection order is undefined. Extensions are therefore strongly encouraged to only specify one layout per input method. For keyboard layouts, a `xkb:` prefix indicates that this is a keyboard layout extension. +Example: ["us::eng"]| +| `input_view` | string| Optional string specifying an extension resource.| +| `options_page` | string| Optional string specifying an extension resource. If not provided, the default extension's options page will be used.| + +```json +{ + // ... + "input_components": [{ + "name": "ToUpperIME", + "id": "ToUpperIME", + "language": "en", + "layouts": ["us::eng"] + }] + // ... +} +```