Chrome扩展程序上的Gmail内容安全政策

时间:2014-12-16 22:26:42

标签: javascript google-chrome google-chrome-extension content-security-policy

Gmail刚刚更新了其内容安全政策:http://googleonlinesecurity.blogspot.com/2014/12/reject-unexpected-content-security.html

这对我的Chrome扩展程序造成错误,这会增加gmail。为了清楚起见,我的内容脚本正在加载托管在我的服务器上的另一个脚本。这样可以快速部署。

 Refused to load the script 'https://<domain-path>.js?' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://talkgadget.google.com/ https://www.googleapis.com/appsmarket/v2/installedApps/ https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/js/ https://www.google.com/tools/feedback/ https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://ssl.google-analytics.com/ https://apis.google.com/_/scs/abc-static/ https://apis.google.com/js/ https://clients1.google.com/complete/ https://apis.google.com/_/scs/apps-static/_/js/ https://ssl.gstatic.com/inputtools/js/ https://ssl.gstatic.com/cloudsearch/static/o/js/ https://www.gstatic.com/feedback/js/ https://www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/".

这是我从内容脚本加载托管脚本的方式:

var script = document.createElement('script');
script.type = 'text/javascript';
script.src = 'https://<domain-path>.js';
(document.body || document.head || document.documentElement).appendChild(script);

有什么想法吗?

1 个答案:

答案 0 :(得分:3)

您不应在Gmail中插入外部脚本,因为它会减慢页面加载时间并使其他人更难审核您的扩展程序。您当然应该使用webRequest API删除Content-Security-Policy标头,因为这会降低Gmail的安全性。

如果您确实想要在页面上下文中获取并执行最新版本的代码,请使用XMLHttpRequest加载脚本,然后使用以下代码插入<script>标记:

// NOTE: Inserting external scripts should be avoided if possible!
// Do not use this method if your extension can completely function
// without external scripts!

// Even if you have to load an external script, make sure that it is loaded over
// https:, NEVER over http: ! If you insert scripts from http:-URLs, your users'
// security can be compromised by MITM attacks.

var x = new XMLHttpRequest();
x.open('GET', 'https://example.com/script.js');
x.onload = function() {
    var s = document.createElement('script');
    s.textContent = x.responseText;
    (document.head || document.documentElement).appendChild(s);
};
x.onerror = function() {
    // Failed to load. Fallback to loading an (old version of your) script
    // that is bundled with your extension. It must be listed in the
    // "web_accessible_resources" section in your manifest file.
    var s = document.createElement('script');
    s.src = chrome.runtime.getURL('script.js');
    (document.head || document.documentElement).appendChild(s);
};
x.send();

此方法不需要'unsafe-inline'指令,因为扩展注入的内联脚本会绕过内容安全策略(ref)。