如何在浏览器JS控制台中包含脚本时覆盖内容安全策略? [英] How to override content security policy while including script in browser JS console?
问题描述
我试图通过这种方式使用控制台在现有网站上包含JQuery:
I was trying to include JQuery on an existing website using console this way:
var script = document.createElement('script');
script.src = 'http://code.jquery.com/jquery-1.11.1.min.js';
script.type = 'text/javascript';
document.getElementsByTagName('head')[0].appendChild(script);
然后我收到此错误:
Content Security Policy: The page's settings blocked the loading of a resource at http://code.jquery.com/jquery-1.11.1.min.js ..
在开发过程中,我可能想要包含外部Javascript。我可能不想复制粘贴整个JQuery代码,因为它看起来不整洁。如何为开发目的覆盖内容安全策略?
During development I might want to include external Javascript. I might not want to copy paste the entire JQuery code since it does not look neat. How to override the content security policy for development purposes?
这对快速测试非常有用。我可能希望稍后将我正在编写的脚本转换为浏览器扩展。
This would be really useful for quick testing. I might want to convert the script I am writing to a browser extension later on.
注意(更新):我正在编写脚本现有网站,无法控制设置Content-Security-Policy标头。
Note (update): I am writing the script over an existing website and do not have control over setting the Content-Security-Policy header.
推荐答案
您可以关闭CSP通过在 about:config 菜单中禁用 security.csp.enable ,在Firefox中使用整个浏览器。如果您这样做,则应使用完全独立的浏览器进行测试。例如,将 Firefox Developer Edition 与普通浏览器一起安装并使用它进行测试(和不正常的网络使用)。
You can turn off the CSP for your entire browser in Firefox by disabling security.csp.enable in the about:config menu. If you do this, you should use an entirely separate browser for testing. For example, install Firefox Developer Edition alongside your normal browser and use that for testing (and not normal Web use).
作为替代方案,应该可以改变 Content-Security-Policy 响应标头在到达浏览器之前(通过HTTP代理)。也可以通过扩展程序执行此操作。
As an alternative, it should be possible to alter the Content-Security-Policy response header before it gets to your browser (via an HTTP proxy). It is also possible to do this with extensions.
Chrome扩展程序可以设置它自己的CSP 有自己的 chrome-extension:// ... 页面,但它不能改变普通网页的CSP。
A Chrome extension can set its own CSP for its own chrome-extension://... pages, but it cannot alter the CSP of a normal webpage.
这篇关于如何在浏览器JS控制台中包含脚本时覆盖内容安全策略?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
