Make it clear that CSP might have an effect on cross-origin XHR if tightened.

BUG=152181 Review URL: https://chromiumcodereview.appspot.com/10987039 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@162386 0039d316-1c4b-4281-b951-d872f2087c98

Make it clear that CSP might have an effect on cross-origin XHR if tightened.
BUG=152181 Review URL: https://chromiumcodereview.appspot.com/10987039 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@162386 0039d316-1c4b-4281-b951-d872f2087c98
8e10edb4 · mkwst@chromium.org · d3bdf54e · 8e10edb4
Commit 8e10edb4 authored Oct 17, 2012 by mkwst@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 1 deletion

chrome/common/extensions/docs/templates/articles/xhr.html chrome/common/extensions/docs/templates/articles/xhr.html +13 -1

No files found.
--- a/chrome/common/extensions/docs/templates/articles/xhr.html
+++ b/chrome/common/extensions/docs/templates/articles/xhr.html
@@ -147,4 +147,16 @@ extension is used on a hostile network, an network attacker (aka a <a
 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">"man-in-the-middle"</a>)
 could modify the response and, potentially, attack your extension.  Instead,
 prefer HTTPS whenever possible.
-</p>
\ No newline at end of file
+</p>
+
+<h3 id="interaction-with-csp">Interaction with Content Security Policy</h3>
+
+<p>
+If you modify the default <a href="contentSecurityPolicy.html">Content
+Security Policy</a> for apps or extensions by adding a
+<code>content_security_policy</code> attribute to your manifest, you'll need to
+ensure that any hosts to which you'd like to connect are allowed. While the
+default policy doesn't restrict connections to hosts, be careful when explicitly
+adding either the <code>connect-src</code> or <code>default-src</code>
+directives.
+</p>