Gmail刚刚更新了其内容安全政策:http://googleonlinesecurity.blogspot.com/2014/12/reject-unexpected-content-security.html
这对我的Chrome扩展程序造成错误,这会增加gmail。为了清楚起见,我的内容脚本正在加载托管在我的服务器上的另一个脚本。这样可以快速部署。
Refused to load the script 'https://<domain-path>.js?' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://talkgadget.google.com/ https://www.googleapis.com/appsmarket/v2/installedApps/ https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/js/ https://www.google.com/tools/feedback/ https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://ssl.google-analytics.com/ https://apis.google.com/_/scs/abc-static/ https://apis.google.com/js/ https://clients1.google.com/complete/ https://apis.google.com/_/scs/apps-static/_/js/ https://ssl.gstatic.com/inputtools/js/ https://ssl.gstatic.com/cloudsearch/static/o/js/ https://www.gstatic.com/feedback/js/ https://www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/".
这是我从内容脚本加载托管脚本的方式:
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = 'https://<domain-path>.js';
(document.body || document.head || document.documentElement).appendChild(script);
有什么想法吗?
答案 0 :(得分:3)
您不应在Gmail中插入外部脚本,因为它会减慢页面加载时间并使其他人更难审核您的扩展程序。您当然应该不使用webRequest API删除Content-Security-Policy
标头,因为这会降低Gmail的安全性。
如果您确实想要在页面上下文中获取并执行最新版本的代码,请使用XMLHttpRequest
加载脚本,然后使用以下代码插入<script>
标记:
// NOTE: Inserting external scripts should be avoided if possible!
// Do not use this method if your extension can completely function
// without external scripts!
// Even if you have to load an external script, make sure that it is loaded over
// https:, NEVER over http: ! If you insert scripts from http:-URLs, your users'
// security can be compromised by MITM attacks.
var x = new XMLHttpRequest();
x.open('GET', 'https://example.com/script.js');
x.onload = function() {
var s = document.createElement('script');
s.textContent = x.responseText;
(document.head || document.documentElement).appendChild(s);
};
x.onerror = function() {
// Failed to load. Fallback to loading an (old version of your) script
// that is bundled with your extension. It must be listed in the
// "web_accessible_resources" section in your manifest file.
var s = document.createElement('script');
s.src = chrome.runtime.getURL('script.js');
(document.head || document.documentElement).appendChild(s);
};
x.send();
此方法不需要'unsafe-inline'
指令,因为扩展注入的内联脚本会绕过内容安全策略(ref)。