相同域策略如何应用于Firefox和Chrome扩展程序中的后台脚本(非内容脚本)? [英] How does same-domain policy apply to background scripts (NON-content scripts) in Firefox and Chrome extensions?
问题描述
据我所知,扩展中有两种类型的脚本,一种是内容脚本",它们从网页中运行并与DOM交互,并由相同的原始策略控制;另一个是脚本,称为扩展脚本" ,它们在后台运行,可能与网页交互,也可能不与之交互,例如Firefox中的 main.js 或 Chrome中的background.js .这是Google对扩展脚本的解释
To my understanding, there are two types of scripts in an extension, one is "content scripts" that run from, and interact with DOM in webpages, which are governed by the same origin policy; the other are scripts, call them "extension scripts", that run in the background and may or may not interact with webpages, like main.js in Firefox or background.js in Chrome. Here is Google's explanation for extension scripts
"......只有一个长时间运行的脚本来管理某些任务或状态...后台页面是在扩展过程中运行的HTML页面.它在扩展程序的整个生命周期中都存在,并且只有一个实例一次处于活动状态"
"...have a single long-running script to manage some task or state ...the background page is an HTML page that runs in the extension process. It exists for the lifetime of your extension, and only one instance of it at a time is active"
问题是,同源策略如何应用于扩展脚本" ?又为什么要这样做,因为这些脚本与正在查看的网页上的内容无关?扩展脚本的 domain 到底是什么? (Google说扩展尝试使用除自身以外的安全来源" ,但不会明确说明来源是什么.)
So the question is, how does same-origin policy apply to "extension scripts"? And why should it, since these scripts are independent from contents on the webpage that is being viewed? What is the domain of an extension script anyway? (Google says "extension attempts to use a security origin other than itself", but doesn't explicitly state what the origin is.)
可以在扩展中执行以下操作吗?
Could the following be done in an extension?
示例一:从时间服务器获取时间,并将其显示在附加栏上.
Example one : get the time from a time server, and display it on the add-on bar.
示例二:一个扩展程序,用于检查是否更新了来自任意域(或带有书签但已关闭的页面)的最近关闭的页面,并向用户发出警告.
Example two : an extension that checks whether a recently closed page from an arbitrary domain (or a bookmarked but closed page) is updated, and alert the user if it is.
我知道在声明权限http://*/之后,可以使用XMLHttpRequest来完成Chrome中的跨域HTTP和Ftp请求.但是Firefox呢?那么其他协议(例如smtp,ppp等)呢?
I know cross domain HTTP and Ftp requests in Chrome can be accomplished by using XMLHttpRequest after declaring permissions Http://*/. But what about Firefox? What about other protocols, like smtp, ppp, etc?
在扩展脚本中使用的HTML5中的WebSocket是否被同域策略所束缚?
Is WebSocket in HTML5, used in an extension script, shackled by the same-domain policy?
推荐答案
Firefox具有两种扩展类型:传统的 Overlay扩展和新的附加SDK扩展.
Firefox have two types of extensions: traditional Overlay extensions and new Add-on SDK extensions.
重叠扩展不受相同原产地政策的限制,例如以下jQuery代码对我有用:
Overlay extensions don't subject to same origin policy and for example the following jQuery code worked for me:
$.get("http://www.example.org", function() { /* do something */ } );
但是对于新的附加SDK扩展,情况与Google Chrome扩展几乎相同:扩展脚本"受相同来源政策的限制并且您可以使用域内容属性:
However for new Add-on SDK extensions the situation is pretty much the same as for Google Chrome extensions: the "extension script" is limited by the same origin policy and you can whitelist domains in package.json using cross-domain-content attribute:
"permissions": {
"cross-domain-content": ["http://example.org/", "http://example.com/"]
}
此属性中不允许使用通配符.您必须请求特定域,如MDN网站上所述:
Wildcards are not allowed in this attribute. You have to request specific domains, as written on MDN site:
列出的域必须包含方案和完全限定的域名,并且这些域必须与提供内容的域完全匹配...
The domains listed must include the scheme and fully qualified domain name, and these must exactly match the domains serving the content...
因此,在您的示例中,它们将因相同原产地政策而失败.您必须编写 Overlay扩展,或使用CORS,JSONP或
So for your examples, they would fail on same origin policy. You'd have to either write an Overlay extension, or use CORS, JSONP or other techniques to get around it, if possible.
这篇关于相同域策略如何应用于Firefox和Chrome扩展程序中的后台脚本(非内容脚本)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
