内容安全策略和Facebook附加组件。不工作

时间:2014-05-06 17:54:41

标签: javascript firefox-addon content-security-policy

我正在制作Firefox附加组件。它需要

1)阅读网页

2)基于此,将POST中的信息发送到我的网站

3)根据我的网站返回的内容显示文字。

我无法让这个在Facebook.com上运行,我相信这是由于Facebook的限制性内容安全政策。我无法获得附加内容以发送POST的内容。

我试过了:

  var  url = 'https://mysite.com';

  var request = new XMLHttpRequest();
  request.open("POST", url, true);
  request.onload = function () {
       alert("returned"); 
  };
  request.send(); 

在非Facebook网站上,这有效。在Facebook上,“网络”选项卡中没有活动。控制台给我一个错误:

Content Security Policy: The page's settings blocked the loading of a resource at ...

我也尝试过使用iframe:

var onload = "var url = 'https://mysite.com'; 
           var request = new XMLHttpRequest(); 
           request.open('GET', url, true); 
           request.send();
            request.onload = function(){alert();};";

var iframe_wrapper = window.document.createElement("div");
iframe_wrapper.innerHTML='<iframe onLoad="'+onload+'"; src="https://mysite.com"></iframe>';
window.document.body.appendChild(iframe_wrapper);

在非Facebook网站上,进行了两次调用:初始iframe src调用,然后调用onLoad函数。

在Facebook上,只进行了iframe调用,这是成功的。然后控制台出错(我第一次尝试):

ReferenceError: reference to undefined property la.stack
ReferenceError: reference to undefined property n.name

有解决方法吗?请注意,这适用于我的Chrome扩展程序(我使用第一种直接的方法)。

1 个答案:

答案 0 :(得分:0)

是设置csp规则。我从另一个主题得到了这个:How to add Content Security Policy to Firefox extension

但是这个版本略有不同。

但是复制粘贴这个:

var httpRequestObserver =
{
    observe: function(subject, topic, data)
    {
     Cu.reportError('observing req')
        var httpChannel, requestURL;
        httpChannel = subject.QueryInterface(Ci.nsIHttpChannel);
        requestURL = httpChannel.URI.spec;

if (httpChannel.responseStatus !== 200) {
return;
}

    var cspRules;
    var mycsp;
    // thre is no clean way to check the presence of csp header. an exception
    // will be thrown if it is not there.
    // https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIHttpChannel
    console.info('reading response headers on requestURL = ', requestURL)
    try {
     console.warn('trying to set init')
        cspRules = httpChannel.getResponseHeader("Content-Security-Policy");
        mycsp = _getCspAppendingMyHostDirective(cspRules);
        httpChannel.setResponseHeader('Content-Security-Policy', mycsp, false);
        console.warn('set init done')
    } catch (e) {
        try {
         console.warn('trying to set fallback')
            // Fallback mechanism support
            cspRules = httpChannel.getResponseHeader("X-Content-Security-Policy");
            mycsp = _getCspAppendingMyHostDirective(cspRules);
            httpChannel.setResponseHeader('X-Content-Security-Policy', mycsp, false);
            console.warn('fallback set done')
        } catch (e) {
            // no csp headers defined
            console.warn('no csp headers defined so SHOULD be able to inject script here url = ' + requestURL);
            return;
        }
    }
    }

};

Cu.import('resource://gre/modules/devtools/Console.jsm');

/**
* @var cspRules : content security policy
* For my requirement i have to append rule just to 'script-src' directive. But you can
* modify this function to your need.
*
*/
function _getCspAppendingMyHostDirective(cspRules) {
    var rules = cspRules.split(';');
    var scriptSrcFound = false;
    for (var ii = 0; ii < rules.length; ii++) {
        if ( rules[ii].toLowerCase().indexOf('script-src') != -1 ) {
            rules[ii] = 'script-src * \'unsafe-inline\' \'unsafe-eval\''; // define your own rule here
            scriptSrcFound = true;
        }
    }

    return rules.join(';');
}

然后在启动addon时运行此代码:

Services.obs.addObserver(httpRequestObserver, 'http-on-examine-response', false);

并在关闭addon时运行此代码:

Services.obs.removeObserver(httpRequestObserver, 'http-on-examine-response', false);