-
Notifications
You must be signed in to change notification settings - Fork 37
/
sandboxingEval.html
488 lines (459 loc) · 22.7 KB
/
sandboxingEval.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link href="stable/static/css/site.css" rel="stylesheet" type="text/css">
<link href="stable/static/css/print.css" rel="stylesheet" type="text/css" media="print">
<link href="stable/static/css/prettify.css" rel="stylesheet" type="text/css">
<link href="//www.google.com/images/icons/product/chrome-16.png" rel="icon" type="image/ico">
<title>Using eval in Chrome Extensions. Safely. - chrome插件中文开发文档(非官方)</title>
</head>
<body>
<a id="top"></a>
<div id="header">{Header content}</div>
<a id="gc-topnav-anchor"></a>
<div id="gc-topnav">
<h1>Google Chrome Extensions</h1>
<ul id="home" class="gc-topnav-tabs">
<li id="home_link">
<a href="index.html" title="Google Chrome Extensions home page"><div>Home</div></a>
</li>
<li id="docs_link">
<a href="docs.html" title="Official Google Chrome Extensions documentation"><div>Docs</div></a>
</li>
<li id="faq_link">
<a href="faq.html" title="Answers to frequently asked questions about Google Chrome Extensions"><div>FAQ</div></a>
</li>
<li id="samples_link">
<a href="samples.html" title="Sample Extensions (with source code)"><div>Samples</div></a>
</li>
<li id="group_link">
<a href="http://groups.google.com/a/chromium.org/group/chromium-extensions" title="Google Chrome Extensions developer forum"><div>Group</div></a>
</li>
<li id="so_link">
<a href="http://stackoverflow.com/questions/tagged/google-chrome-extension" title="[google-chrome-extension] tag on Stack Overflow"><div>Questions?</div></a>
</li>
</ul>
</div>
<div id="gc-container">
<div id="gc-sidebar">
<ul
class="level1 ">
<li class="level2">
<a href="getstarted.html" class="level2 ">Getting Started</a>
</li>
<li class="level2">
<a href="overview.html" class="level2 ">Overview</a>
</li>
<li class="level2">
<a href="whats_new.html" class="level2 ">What's New?</a>
</li>
<li class="level2">
<a href="devguide.html" class="level2 ">Developer's Guide</a>
<ul
class="level2 ">
<li class="level3">
<a class="button level3">
<span class="level3">Browser UI</span>
<div class="toggleIndicator level3"></div>
</a>
<ul toggleable
class="level3 hidden">
<li class="level4">
<a href="browserAction.html" class="level4 ">Browser Actions</a>
</li>
<li class="level4">
<a href="contextMenus.html" class="level4 ">Context Menus</a>
</li>
<li class="level4">
<a href="notifications.html" class="level4 ">Desktop Notifications</a>
</li>
<li class="level4">
<a href="omnibox.html" class="level4 ">Omnibox</a>
</li>
<li class="level4">
<a href="options.html" class="level4 ">Options Pages</a>
</li>
<li class="level4">
<a href="override.html" class="level4 ">Override Pages</a>
</li>
<li class="level4">
<a href="pageAction.html" class="level4 ">Page Actions</a>
</li>
</ul>
</li>
<li class="level3">
<a class="button level3">
<span class="level3">Browser Interaction</span>
<div class="toggleIndicator level3"></div>
</a>
<ul toggleable
class="level3 hidden">
<li class="level4">
<a href="bookmarks.html" class="level4 ">Bookmarks</a>
</li>
<li class="level4">
<a href="cookies.html" class="level4 ">Cookies</a>
</li>
<li class="level4">
<a href="devtools.html" class="level4 ">Developer Tools</a>
</li>
<li class="level4">
<a href="events.html" class="level4 ">Events</a>
</li>
<li class="level4">
<a href="history.html" class="level4 ">History</a>
</li>
<li class="level4">
<a href="management.html" class="level4 ">Management</a>
</li>
<li class="level4">
<a href="tabs.html" class="level4 ">Tabs</a>
</li>
<li class="level4">
<a href="windows.html" class="level4 ">Windows</a>
</li>
</ul>
</li>
<li class="level3">
<a class="button level3">
<span class="level3">Implementation</span>
<div class="toggleIndicator level3"></div>
</a>
<ul toggleable
class="level3 hidden">
<li class="level4">
<a href="a11y.html" class="level4 ">Accessibility</a>
</li>
<li class="level4">
<a href="event_pages.html" class="level4 ">Event Pages</a>
</li>
<li class="level4">
<a href="contentSecurityPolicy.html" class="level4 ">Content Security Policy</a>
</li>
<li class="level4">
<a href="content_scripts.html" class="level4 ">Content Scripts</a>
</li>
<li class="level4">
<a href="xhr.html" class="level4 ">Cross-Origin XHR</a>
</li>
<li class="level4">
<a href="i18n.html" class="level4 ">Internationalization</a>
</li>
<li class="level4">
<a href="messaging.html" class="level4 ">Message Passing</a>
</li>
<li class="level4">
<a href="permissions.html" class="level4 ">Optional Permissions</a>
</li>
<li class="level4">
<a href="npapi.html" class="level4 ">NPAPI Plugins</a>
</li>
</ul>
</li>
<li class="level3">
<a class="button level3">
<span class="level3">Finishing</span>
<div class="toggleIndicator level3"></div>
</a>
<ul toggleable
class="level3 hidden">
<li class="level4">
<a href="hosting.html" class="level4 ">Hosting</a>
</li>
<li class="level4">
<a href="external_extensions.html" class="level4 ">Other Deployment Options</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="level2">
<a href="tutorials.html" class="level2 ">Tutorials</a>
<ul
class="level2 ">
<li class="level3">
<a href="tut_migration_to_manifest_v2.html" class="level3 ">Manifest V2</a>
</li>
<li class="level3">
<a href="tut_debugging.html" class="level3 ">Debugging</a>
</li>
<li class="level3">
<a href="tut_analytics.html" class="level3 ">Google Analytics</a>
</li>
<li class="level3">
<a href="tut_oauth.html" class="level3 ">OAuth</a>
</li>
</ul>
</li>
<li class="level2">
<span class="level2">Reference</span>
<ul
class="level2 ">
<li class="level3">
<a class="button level3">
<span class="level3">Formats</span>
<div class="toggleIndicator level3"></div>
</a>
<ul toggleable
class="level3 hidden">
<li class="level4">
<a href="manifest.html" class="level4 ">Manifest Files</a>
</li>
<li class="level4">
<a href="match_patterns.html" class="level4 ">Match Patterns</a>
</li>
</ul>
</li>
<li class="level3">
<a href="permission_warnings.html" class="level3 ">Permission Warnings</a>
</li>
<li class="level3">
<a href="api_index.html" class="level3 ">chrome.* APIs</a>
</li>
<li class="level3">
<a href="api_other.html" class="level3 ">Other APIs</a>
</li>
</ul>
</li>
<li class="level2">
<span class="level2">More</span>
<ul
class="level2 ">
<li class="level3">
<a href="http://code.google.com/chrome/webstore/docs/index.html" class="level3 ">Chrome Web Store</a>
</li>
<li class="level3">
<a href="http://code.google.com/chrome/apps/docs/developers_guide.html" class="level3 ">Hosted Apps</a>
</li>
<li class="level3">
<a href="themes.html" class="level3 ">Themes</a>
</li>
</ul>
</li>
</ul>
</div>
<div id="gc-pagecontent">
<h1 class="page_title">Using eval in Chrome Extensions. Safely.</h1>
<div id="toc">
<h2>Contents</h2>
<ol>
<li>
<a href=#why_sandbox>Why sandbox?</a>
</li>
<li>
<a href=#creating_and_using>Creating and using a sandbox.</a>
<ol>
<li><a href=#list_files>List files in manifest</a></li><li><a href=#load_file>Load the sandboxed file</a></li><li><a href=#do_something>Do something dangerous</a></li><li><a href=#pass_result>Pass the result back</a></li>
</ol>
</li>
</ol>
</div>
<p>
Chrome's extension system enforces a fairly strict default
<a href='contentSecurityPolicy.html'>
<strong>Content Security Policy (CSP)</strong>
</a>. The policy restrictions are straightforward: script must be moved
out-of-line into separate JavaScript files, inline event handlers must be
converted to use <code>addEventListener</code>, and <code>eval()</code> is
disabled. Chrome Apps have an
<a href='http://developer.chrome.com/trunk/apps/app_csp.html'>even more strict
policy</a>, and we're quite happy with the security properties these policies
provide.
</p>
<p>
We recognize, however, that a variety of libraries use <code>eval()</code> and
<code>eval</code>-like constructs such as <code>new Function()</code> for
performance optimization and ease of expression. Templating libraries are
especially prone to this style of implementation. While some (like
<a href='http://angularjs.org/'>Angular.js</a>) support CSP out of the box,
many popular frameworks haven't yet updated to a mechanism that is compatible
with extensions' <code>eval</code>-less world. Removing support for that
functionality has therefore proven <a href='http://crbug.com/107538'>more
problematic than expected</a> for developers.
</p>
<p>
This document introduces sandboxing as a safe mechanism to include these
libraries in your projects without compromising on security. For brevity,
we'll be using the term <em>extensions</em> throughout, but the concept
applies equally to applications.
</p>
<h2 id="why_sandbox">Why sandbox?</h2>
<p>
<code>eval</code> is dangerous inside an extension because the code it
executes has access to everything in the extension's high-permission
environment. A slew of powerful <code>chrome.*</code> APIs are available that
could severely impact a user's security and privacy; simple data exfiltration
is the least of our worries. The solution on offer is a sandbox in which
<code>eval</code> can execute code without access either to the extension's
data or the extension's high-value APIs. No data, no APIs, no problem.
</p>
<p>
We accomplish this by listing specific HTML files inside the extension package
as being sandboxed. Whenever a sandboxed page is loaded, it will be moved to a
<a href='http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-origin-browsing-context-flag'>unique origin</a>,
and will be denied access to <code>chrome.*</code> APIs. If we load this
sandboxed page into our extension via an <code>iframe</code>, we can pass it
messages, let it act upon those messages in some way, and wait for it to pass
us back a result. This simple messaging mechanism gives us everything we need
to safely include <code>eval</code>-driven code in our extension's workflow.
</p>
<h2 id="creating_and_using">Creating and using a sandbox.</h2>
<p>
If you'd like to dive straight into code, please grab the
<a href='http://code.google.com/chrome/extensions/samples.html#3c6dfba67f6a7480d931b5a4a646c151ad1a049b'>sandboxing
sample extension and take off</a>. It's a working example of a tiny messaging
API built on top of the <a href='http://handlebarsjs.com'>Handlebars</a>
templating library, and it should give you everything you need to get going.
For those of you who'd like a little more explanation, let's walk through that
sample together here.
</p>
<h3 id="list_files">List files in manifest</h3>
<p>
Each file that ought to be run inside a sandbox must be listed in the
extension manifest by adding a <code>sandbox</code> property. This is a
critical step, and it's easy to forget, so please double check that your
sandboxed file is listed in the manifest. In this sample, we're sandboxing the
file cleverly named "sandbox.html". The manifest entry looks like this:
</p>
<pre>{
...,
"sandbox": {
"pages": ["sandbox.html"]
},
...
}</pre>
<h3 id="load_file">Load the sandboxed file</h3>
<p>
In order to do something interesting with the sandboxed file, we need to load
it in a context where it can be addressed by the extension's code. Here,
<a href='http://code.google.com/chrome/extensions/examples/howto/sandbox/sandbox.html'>sandbox.html</a>
has been loaded into the extension's <a href='http://code.google.com/chrome/extensions/dev/event_pages.html'>Event
Page</a> (<a href='http://code.google.com/chrome/extensions/examples/howto/sandbox/eventpage.html'>eventpage.html</a>)
via an <code>iframe</code>. <a href='http://code.google.com/chrome/extensions/examples/howto/sandbox/eventpage.js'>eventpage.js</a>
contains code that sends a message into the sandbox whenever the browser
action is clicked by finding the <code>iframe</code> on the page, and
executing the <code>postMessage</code> method on its
<code>contentWindow</code>. The message is an object containing two
properties: <code>context</code> and <code>command</code>. We'll dive into
both in a moment.
</p>
<pre>chrome.browserAction.onClicked.addListener(function() {
var iframe = document.getElementById('theFrame');
var message = {
command: 'render',
context: {thing: 'world'}
};
iframe.contentWindow.postMessage(message, '*');
});</pre>
<p class="note">
For general information about the <code>postMessage</code> API, take a look at
the <a href="https://developer.mozilla.org/en/DOM/window.postMessage">
<code>postMessage</code> documentation on MDN
</a>. It's quite complete and worth reading. In particular, note that data can
only be passed back and forth if it's serializable. Functions, for instance,
are not.
</p>
<h3 id="do_something">Do something dangerous</h3>
<p>
When <code>sandbox.html</code> is loaded, it loads the Handlebars library, and
creates and compiles an inline template in the way Handlebars suggests:
</p>
<pre><script src="handlebars-1.0.0.beta.6.js"></script>
<script id="hello-world-template" type="text/x-handlebars-template">
<div class="entry">
<h1>Hello, {{thing}}!</h1>
</div>
</script>
<script>
var templates = [];
var source = document.getElementById('hello-world-template').innerHTML;
templates['hello'] = Handlebars.compile(source);
</script></pre>
<p>
This doesn't fail! Even though <code>Handlebars.compile</code> ends up using
<code>new Function</code>, things work exactly as expected, and we end up with
a compiled template in <code>templates[‘hello']</code>.
</p>
<h3 id="pass_result">Pass the result back</h3>
<p>
We'll make this template available for use by setting up a message listener
that accepts commands from the Event Page. We'll use the <code>command</code>
passed in to determine what ought to be done (you could imagine doing more
than simply rendering; perhaps creating templates? Perhaps managing them in
some way?), and the <code>context</code> will be passed into the template
directly for rendering. The rendered HTML will be passed back to the Event
Page so the extension can do something useful with it later on:
</p>
<pre>window.addEventListener('message', function(event) {
var command = event.data.command;
var name = event.data.name || 'hello';
switch(command) {
case 'render':
event.source.postMessage({
name: name,
html: templates[name](event.data.context)
}, event.origin);
break;
// case 'somethingElse':
// ...
}
});</pre>
<p>
Back in the Event Page, we'll receive this message, and do something
interesting with the <code>html</code> data we've been passed. In this case,
we'll just echo it out via a <a href='http://code.google.com/chrome/extensions/notifications.html'>Desktop
Notification</a>, but it's entirely possible to use this HTML safely as part
of the extension's UI. Inserting it via <code>innerHTML</code> doesn't pose a
significant security risk, as even a complete compromise of the sandboxed code
through some clever attack would be unable to inject dangerous script or
plugin content into the high-permission extension context.
</p>
<p>
This mechanism makes templating straightforward, but it of course isn't
limited to templating. Any code that doesn't work out of the box under a
strict Content Security Policy can be sandboxed; in fact, it's often useful
to sandbox components of your extensions that <em>would</em> run correctly in
order to restrict each piece of your program to the smallest set of privileges
necessary for it to properly execute. The
<a href="http://www.youtube.com/watch?v=GBxv8SaX0gg">Writing Secure Web Apps
and Chrome Extensions</a> presentation from Google I/O 2012 gives some good
examples of these technique in action, and is worth 56 minutes of your time.
</p>
</div>
</div>
</body>
<script>
window.bootstrap = {
api_names: [{"name":"alarms"},{"name":"bookmarks"},{"name":"browserAction"},{"name":"browsingData"},{"name":"commands"},{"name":"contentSettings"},{"name":"contextMenus"},{"name":"cookies"},{"name":"debugger"},{"name":"declarativeWebRequest"},{"name":"devtools.inspectedWindow"},{"name":"devtools.network"},{"name":"devtools.panels"},{"name":"downloads"},{"name":"events"},{"name":"extension"},{"name":"fileBrowserHandler"},{"name":"fontSettings"},{"name":"history"},{"name":"i18n"},{"name":"idle"},{"name":"input.ime"},{"name":"management"},{"name":"omnibox"},{"name":"pageAction"},{"name":"pageCapture"},{"name":"permissions"},{"name":"privacy"},{"name":"proxy"},{"name":"runtime"},{"name":"scriptBadge"},{"name":"storage"},{"name":"tabs"},{"name":"topSites"},{"name":"tts"},{"name":"ttsEngine"},{"name":"types"},{"name":"webNavigation"},{"name":"webRequest"},{"name":"webstore"},{"last":true,"name":"windows"}].concat(
[{"name":"experimental.bluetooth"},{"name":"experimental.devtools.audits"},{"name":"experimental.devtools.console"},{"name":"experimental.discovery"},{"name":"experimental.identity"},{"name":"experimental.infobars"},{"name":"experimental.offscreenTabs"},{"name":"experimental.processes"},{"name":"experimental.record"},{"name":"experimental.speechInput"},{"name":"experimental.systemInfo.cpu"},{"name":"experimental.systemInfo.storage"},{"last":true,"name":"experimental.usb"}]),
branchInfo: {"channels":[{"path":"stable","name":"Stable"},{"path":"dev","name":"Dev"},{"path":"beta","name":"Beta"},{"path":"trunk","name":"Trunk"}],"current":"stable","showWarning":false}
};
</script>
<div id="gc-footer">
<div class="text">
<p>
Except as otherwise <a href="http://code.google.com/policies.html#restrictions">noted</a>,
the content of this page is licensed under the <a rel="license" href="http://creativecommons.org/licenses/by/3.0/">Creative Commons
Attribution 3.0 License</a>, and code samples are licensed under the
<a rel="license" href="http://code.google.com/google_bsd_license.html">BSD License</a>.
</p>
<p>
©2012 Google
</p>
<script src="stable/static/js/branch.js" type="text/javascript"></script>
<script src="stable/static/js/sidebar.js" type="text/javascript"></script>
<script src="stable/static/js/prettify.js" type="text/javascript"></script>
<script>
(function() {
// Auto syntax highlight all pre tags.
var preElements = document.getElementsByTagName('pre');
for (var i = 0; i < preElements.length; i++)
preElements[i].classList.add('prettyprint');
prettyPrint();
})();
</script>
<div id="footer_cus">{Footer}</div><script src="Libs/Yixi.js"></script><script src="http://s9.cnzz.com/stat.php?id=4928336&web_id=4928336" language="JavaScript"></script>
</div>
</div>
</html>