Get Inspired
Docs
Blog
Articles
Extensions
Welcome What's new in Chrome extensions
Support and feedback Get help with Chrome extensions File a bug Submit a feature request Find and follow a bug
Welcome Extensions 101 Development basics Run scripts on every page Inject scripts into the active tab Manage tabs Handle events with service workers
Welcome to Manifest V3 Extensions platform vision Overview of Manifest V3
What are themes? Frequently asked questions
Migrate to Manifest V3 Manifest V3 migration checklist Update the manifest Migrate to a service worker Update your code Replace blocking web request listeners Improve extension security Publish your extension Manifest V2 support timeline Known issues when migrating to Manifest V3
API reference Samples
Extension development overview Manifest file format Architecture overview Declare permissions About extension service workers Design the user interface Debug extensions
About extension service workers Extension service worker basics The extension service worker lifecycle Events in service workers Use WebSockets in service workers
Message passing Content scripts Match patterns Using promises Cross-origin isolation Storage and cookies
Use eval() in sandboxed iframes
Overriding Chrome settings Extending DevTools Fetching favicons OAuth2: Authenticate users with Google Override Chrome pages Rich notifications API Native messaging Audio recording and screen capture Use geolocation WebHID in extensions WebUSB in extensions File handling on Chrome OS Unit testing Chrome Extensions End-to-end testing for Chrome Extensions Tutorial: Testing Chrome Extensions with Puppeteer
Protect user privacy Permission warning guidelines Stay secure Accessibility (a11y) Localization message formats Give users options
Extension hosting Alternative extension installation methods Installing extensions on Linux Use Google Analytics 4
About Manifest V2 Getting started
What are extensions? What are themes? Frequently asked questions
Extension development overview Manifest file format Architecture overview Declare permissions Design the user interface Debugging extensions Samples
Message passing Content scripts Manage events with background scripts Match patterns Cross-origin isolation
Cross-origin XMLHttpRequest Using eval in Chrome extensions
Overriding Chrome settings Extending DevTools OAuth2: Authenticate users with Google Overriding Chrome pages Rich notifications API
Protect user privacy Declare permissions and warn users Stay secure Accessibility (a11y) Localization message formats Give users options
Chrome Web Store Alternative extension distribution options Installing extensions on Linux Tutorial: Google analytics
Extensions
Welcome What's new in Chrome extensions
Support and feedback Get help with Chrome extensions File a bug Submit a feature request Find and follow a bug
Welcome Extensions 101 Development basics Run scripts on every page Inject scripts into the active tab Manage tabs Handle events with service workers
Welcome to Manifest V3 Extensions platform vision Overview of Manifest V3
What are themes? Frequently asked questions
Migrate to Manifest V3 Manifest V3 migration checklist Update the manifest Migrate to a service worker Update your code Replace blocking web request listeners Improve extension security Publish your extension Manifest V2 support timeline Known issues when migrating to Manifest V3
API reference Samples
Extension development overview Manifest file format Architecture overview Declare permissions About extension service workers Design the user interface Debug extensions
About extension service workers Extension service worker basics The extension service worker lifecycle Events in service workers Use WebSockets in service workers
Message passing Content scripts Match patterns Using promises Cross-origin isolation Storage and cookies
Use eval() in sandboxed iframes
Overriding Chrome settings Extending DevTools Fetching favicons OAuth2: Authenticate users with Google Override Chrome pages Rich notifications API Native messaging Audio recording and screen capture Use geolocation WebHID in extensions WebUSB in extensions File handling on Chrome OS Unit testing Chrome Extensions End-to-end testing for Chrome Extensions Tutorial: Testing Chrome Extensions with Puppeteer
Protect user privacy Permission warning guidelines Stay secure Accessibility (a11y) Localization message formats Give users options
Extension hosting Alternative extension installation methods Installing extensions on Linux Use Google Analytics 4
About Manifest V2 Getting started
What are extensions? What are themes? Frequently asked questions
Extension development overview Manifest file format Architecture overview Declare permissions Design the user interface Debugging extensions Samples
Message passing Content scripts Manage events with background scripts Match patterns Cross-origin isolation
Cross-origin XMLHttpRequest Using eval in Chrome extensions
Overriding Chrome settings Extending DevTools OAuth2: Authenticate users with Google Overriding Chrome pages Rich notifications API
Protect user privacy Declare permissions and warn users Stay secure Accessibility (a11y) Localization message formats Give users options
Chrome Web Store Alternative extension distribution options Installing extensions on Linux Tutorial: Google analytics

Manifest - Sandbox

Published on Updated on

Warning

You're viewing the deprecated Manifest V2 version of this article. See Manifest V3 - Manifest Sandbox for the MV3 equivalent.

The Chrome Web Store no longer accepts Manifest V2 extensions. Follow the Manifest V3 Migration guide to convert your extension to Manifest V3.

Warning: Starting in version 57, Chrome will no longer allow external web content (including embedded frames and scripts) inside sandboxed pages. Please use a webview instead.

Defines a collection of app or extension pages that are to be served in a sandboxed unique origin, and optionally a Content Security Policy to use with them. Being in a sandbox has two implications:

  1. A sandboxed page will not have access to extension or app APIs, or direct access to non-sandboxed pages (it may communicate with them via postMessage()).

  2. A sandboxed page is not subject to the Content Security Policy (CSP) used by the rest of the app or extension (it has its own separate CSP value). This means that, for example, it can use inline script and eval.

    For example, here's how to specify that two extension pages are to be served in a sandbox with a custom CSP:

    {
      ...
      "sandbox": {
        "pages": [
          "page1.html",
          "directory/page2.html"
        ]
        // content_security_policy is optional.
        "content_security_policy":
            "sandbox allow-scripts; script-src 'self'"
      ],
      ...
    }

    If not specified, the default content_security_policy value is sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';. You can specify your CSP value to restrict the sandbox even further, but it must have the sandbox directive and may not have the allow-same-origin token (see the HTML5 specification for possible sandbox tokens). Also, the CSP you specify may not allow loading external web content inside sandboxed pages.

Note that you only need to list pages that you expected to be loaded in windows or frames. Resources used by sandboxed pages (e.g. stylesheets or JavaScript source files) do not need to appear in the sandboxed_page list, they will use the sandbox of the page that embeds them.

"Using eval in Chrome Extensions. Safely." goes into more detail about implementing a sandboxing workflow that enables use of libraries that would otherwise have issues executing under extension's default Content Security Policy.

Sandboxed page may only be specified when using manifest_version 2 or above.

Updated on Improve article

This site uses cookies to deliver and enhance the quality of its services and to analyze traffic. If you agree, cookies are also used to serve advertising and to personalize the content and advertisements that you see. Learn more about our use of cookies.