我正在尝试创建一个Chrome扩展程序,它会将iframe边栏注入任何页面。我遇到了一些使用CSP指令限制可以构建框架的网站的问题(以下示例是LinkedIn)。我认为我会尝试使用onBeforeSendHeaders来捕获所有content-security-policy
标题并删除它们,但我没有取得任何成功。
拒绝框架'https://example.com/',因为它违反了。https://www.linkedin.com' 遵循内容安全策略指令:“frame-src'self' * .doubleclick.net www.slideshare.net radar.cedexis.com platform.linkedin.com media-exp1.licdn.com media-exp2.licdn.com m.c.exp1.licdn.com m.c.exp2.licdn.com media-lcdn.licdn.com m.c.lcdn.licdn.com cdn.embedly.com lichat.azurewebsites.net www.youtube.com www.facebook.com player.vimeo.com embed.ted.com livestream.com embed.gettyimages.com w.soundcloud.com www.lynda.com media.licdn.com“。
这是我的清单文件:
{
"manifest_version": 2,
"name": "My Ext",
"description": "My ext desc",
"version": "0.1",
"content_scripts": [{
"matches": ["<all_urls>"],
"js": ["jquery-3.3.1.min.js","content.js","scripts.js"],
"css": ["content.css"]
}],
"background": {
"scripts": ["background.js"]
},
"permissions": ["tabs","activeTab","storage","webRequest","webRequestBlocking","<all_urls>"],
"browser_action": {
"default_icon": {
"16": "images/icon16.png",
"32": "images/icon32.png",
"48": "images/icon48.png",
"128": "images/icon128.png"
}
},
"icons": {
"16": "images/icon16.png",
"32": "images/icon32.png",
"48": "images/icon48.png",
"128": "images/icon128.png"
}
}
这是我的background.js中的代码,试图删除标题:
chrome.webRequest.onBeforeSendHeaders.addListener(
function(details) {
console.log(details.requestHeaders);
for (var i = 0; i < details.requestHeaders.length; ++i) {
if (details.requestHeaders[i].name === 'content-security-policy') {
details.requestHeaders.splice(i, 1);
break;
}
}
return {requestHeaders: details.requestHeaders};
},
{urls: ["<all_urls>"]},
["blocking", "requestHeaders"]);
我出错的任何想法?
编辑:我还尝试了一种方法,使用onHeadersReceived
添加额外的标头,允许example.com。我可以看到添加了标题,它阻止了另一个帧被加载,但是example.com仍然被拒绝 - 我假设它仍然与前一个标题冲突?
该版本的清单是相同的,但这是该版本的background.js:
chrome.webRequest.onHeadersReceived.addListener(function(details) {
console.log(details.responseHeaders);
details.responseHeaders.push({
name: 'content-security-policy',
value: 'frame-src example.com'
});
return { responseHeaders: details.responseHeaders };
}, {
urls: ['*://*.linkedin.com/*']
}, [
"responseHeaders","blocking"
]);
以下是内容和背景的控制台日志的屏幕截图: