| 类型 |
数组
|
|---|---|
| Mandatory | No |
| 范例 |
|
Sometimes you want to package resources—for example, images, HTML, CSS, or JavaScript—with your extension and make them available to web pages.
例如,
Beastify example extension
replaces a web page with an image of a beast selected by the user. The beast images are packaged with the extension. To make the selected image visible, the extension adds
<img>
elements whose
src
attribute points to the beast's image. For the web page to be able to load the images, they must be made web accessible.
With the
web_accessible_resources
key, you list all the packaged resources that you want to make available to web pages. You specify them as paths relative to the manifest.json file.
Note that content scripts don't need to be listed as web accessible resources.
If an extension wants to use
webRequest
to redirect a public URL (e.g., HTTPS) to a page that's packaged in the extension, then the extension must list the page in the
web_accessible_resources
key.
For example, suppose your extension includes an image file at images/my-image.png, like this:
my-extension-files/
manifest.json
my-background-script.js
images/
my-image.png
To enable a web page to use an
<img>
element whose
src
attribute points to this image, you would specify
web_accessible_resources
像这样:
"web_accessible_resources": ["images/my-image.png"]
The file is then available using a URL like:
moz-extension://<extension-UUID>/images/my-image.png"
<extension-UUID>
is
not
your extension's ID. This ID is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed.
注意:
In Chrome, an extension's ID is fixed. When a resource is listed in
web_accessible_resources
, it is accessible as
chrome-extension://<your-extension-id>/<path/to/resource>
.
The recommended approach to obtaining the URL of the resource is to use
runtime.getURL
passing the path relative to manifest.json, for example:
browser.runtime.getURL("images/my-image.png");
// something like:
// moz-extension://944cfddf-7a95-3c47-bd9a-663b3ce8d699/images/my-image.png
This approach gives you the correct URL regardless of the browser your extension is running on.
web_accessible_resources
entries can contain wildcards. For example, the following entry would also work to include the resource at "images/my-image.png":
"web_accessible_resources": ["images/*.png"]
Note that if you make a page web-accessible, any website may link or redirect to that page. The page should then treat any input (POST data, for examples) as if it came from an untrusted source, just as a normal web page should.
Web-accessible extension resources are not blocked by CORS or CSP . Because of this ability to bypass security checks, extensions should avoid the use of web-accessible scripts when possible. A web-accessible extension script can unexpectedly be misused by malicious websites to weaken the security of other websites. Follow the security best practices by avoiding injection of moz-extension:-URLs in web pages and ensuring that third-party libraries are up to date.
"web_accessible_resources": ["images/my-image.png"]
Make the file at "images/my-image.png" web accessible.
BCD tables only load in the browser
最后修改: , 由 MDN 贡献者