使用Chrome扩展程序删除所有CSP标头,以允许iframing

时间:2018-06-17 21:54:49

标签: google-chrome google-chrome-extension

我正在尝试创建一个Chrome扩展程序,它会将iframe边栏注入任何页面。我遇到了一些使用CSP指令限制可以构建框架的网站的问题(以下示例是LinkedIn)。我认为我会尝试使用onBeforeSendHeaders来捕获所有content-security-policy标题并删除它们,但我没有取得任何成功。

  

拒绝框架'https://example.com/',因为它违反了。https://www.linkedin.com'   遵循内容安全策略指令:“frame-src'self'   * .doubleclick.net www.slideshare.net radar.cedexis.com platform.linkedin.com media-exp1.licdn.com media-exp2.licdn.com   m.c.exp1.licdn.com m.c.exp2.licdn.com media-lcdn.licdn.com   m.c.lcdn.licdn.com cdn.embedly.com content console   lichat.azurewebsites.net www.youtube.com www.facebook.com   player.vimeo.com embed.ted.com livestream.com embed.gettyimages.com   w.soundcloud.com www.lynda.com media.licdn.com“。

这是我的清单文件:

{
    "manifest_version": 2,
    "name": "My Ext",
    "description": "My ext desc",
    "version": "0.1",
    "content_scripts": [{
        "matches": ["<all_urls>"],
        "js": ["jquery-3.3.1.min.js","content.js","scripts.js"],
        "css": ["content.css"]
    }],
    "background": {
        "scripts": ["background.js"]
    },
    "permissions": ["tabs","activeTab","storage","webRequest","webRequestBlocking","<all_urls>"],
    "browser_action": {
        "default_icon": {
            "16": "images/icon16.png",
            "32": "images/icon32.png",
            "48": "images/icon48.png",
            "128": "images/icon128.png"
        }
    },
    "icons": {
        "16": "images/icon16.png",
        "32": "images/icon32.png",
        "48": "images/icon48.png",
        "128": "images/icon128.png"
    }
}

这是我的background.js中的代码,试图删除标题:

chrome.webRequest.onBeforeSendHeaders.addListener(
function(details) {
    console.log(details.requestHeaders);
  for (var i = 0; i < details.requestHeaders.length; ++i) {
    if (details.requestHeaders[i].name === 'content-security-policy') {
      details.requestHeaders.splice(i, 1);
      break;
    }
  }
  return {requestHeaders: details.requestHeaders};
},
{urls: ["<all_urls>"]},
["blocking", "requestHeaders"]);

我出错的任何想法?

编辑:我还尝试了一种方法,使用onHeadersReceived添加额外的标头,允许example.com。我可以看到添加了标题,它阻止了另一个帧被加载,但是example.com仍然被拒绝 - 我假设它仍然与前一个标题冲突?

该版本的清单是相同的,但这是该版本的background.js:

chrome.webRequest.onHeadersReceived.addListener(function(details) {
    console.log(details.responseHeaders);
    details.responseHeaders.push({
        name: 'content-security-policy',
        value: 'frame-src example.com'
    });
    return { responseHeaders: details.responseHeaders };
}, {
    urls: ['*://*.linkedin.com/*']
}, [
    "responseHeaders","blocking"
]);

以下是内容和背景的控制台日志的屏幕截图:

background console

0 个答案:

没有答案