如果在服务器上启用了内容安全策略，如何使用书签将脚本注入页面? [英] How to inject script into a page using bookmarklet if the Content Security Policy is enabled on the server?

问题描述

我有一个使用jQuery并分析页面上某些元素的小书签.要使用jQuery，我正在动态创建一个脚本标签(以src作为jQuery URL)并附加到head标签上.这在许多站点上都很好.但是，像Facebook这样的网站很少，其bookmarklet无法将外部JS文件注入dom.我知道这种行为是由于响应标头内容安全策略" 禁止包含来自任何其他未授权域的脚本.这是为了禁止XSS攻击.

I have a bookmarklet which uses jQuery and parses some elements on the page. To use jQuery, i am creating a script tag(with src as the jQuery URL) dynamically and appending to the head tag. This works well for many sites. But, there are few sites like Facebook, for which the bookmarklet is not able to inject the external JS file into the dom.I came to know that this behaviour is because of the response header "Content Security Policy" which prohibits the inclusion of scripts from any other unauthorized domain. This is to prohibit XSS atacks.

我有一个真正的案例，可以将外部JS文件插入DOM.是否有任何解决方法可以绕过内容安全政策?

I have a genuine case to insert an external JS file into the DOM. Is there any workaround to by pass the Content Security Policy?

推荐答案

规范说明了(至少我认为仍然如此)，CSP不应阻止小书签，但是没有浏览器实现了此功能.您唯一的选择是在浏览器中禁用CSP或使用扩展程序.

The spec says (at least I think it still does) that CSP should not prevent bookmarklets, but no browser has implemented this. Your only option is to disable CSP in the browser or use an extension.

这篇关于如果在服务器上启用了内容安全策略，如何使用书签将脚本注入页面?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！