在onHeaders中编辑内容安全策略 [英] Edit Content Security Policy in onHeadersReceived

问题描述

我正在为自己开发一个小的chrome扩展程序，以便将iframe嵌入到网站中.内容安全策略使此工作变得很困难，因为一些网站上的frame-src指令不允许加载我的内容.错误消息如下:

I'm developing a small chrome extension for myself to embed an iframe into the website. Content Security Policy makes this difficult, since the frame-src directive on a few websites doesn't allow my content to be loaded. The error message is the following:

拒绝使用框架"mydomain"，因为它违反了以下内容安全策略指令:"frame-src someotherdomain".

Refused to frame 'mydomain' because it violates the following Content Security Policy directive: "frame-src someotherdomain".

到目前为止，我已经尝试将主机添加到frame-src指令以及webRequest.onHeadersReceived中的帧祖先.

So far, I have tried adding my host to the frame-src directive and to the frame-ancestors in webRequest.onHeadersReceived.

manifest.json 中的权限如下:

Permissions in the manifest.json are the following:

    "permissions": ["contextMenus", "webRequest", "<all_urls>", "tabs", "webRequestBlocking"],

在 background.js 中编辑标题:

chrome.webRequest.onHeadersReceived.addListener(
    editCSPHeader,
    {
        urls: [ "<all_urls>" ],
        types: [ "sub_frame" ]
    },
    ["blocking", "responseHeaders"]
  );

function editCSPHeader(r) {
    const headers = r.responseHeaders; // original headers
    for (let i=headers.length-1; i>=0; --i) {
        let header = headers[i].name.toLowerCase();
        if (header === "content-security-policy") { 
            headers[i].value = headers[i].value.replace("frame-src", "frame-src https://*.mydomain.xy/*");
        }
    }
    return {responseHeaders: headers};
}

在iframe仍然无法正确加载之后，我使用chrome://net-export进行了捕获.在这里，标题显示为未经修改，即使应该对其进行编辑.

After the iframe still not being loaded properly, I did a capture using chrome://net-export. Here the headers showed up as unmodified, even though they should be edited.

推荐答案

可以从其加载iframe的源受其父框架的CSP限制.

如果要将iframe嵌入到主框架中，则需要更改主框架中的CSP标头.将上面代码中的 types:["sub_frame"] 更改为 types:["main_frame"] .

If you want to embed your iframe into the main frame, you need to change the CSP header in the main frame. Change types: [ "sub_frame" ] in your code above to types: [ "main_frame" ] to do that.

还请注意，使用 chrome.webRequest.onHeadersReceived 操作标头不是很可靠.一次只能修改一个扩展名，因此其他扩展名可能会破坏您的扩展名.

Also please note that manipulation of headers using chrome.webRequest.onHeadersReceived is not very reliable. Only one extension at a time can modify them, so other extensions that do so may break your extension.

这篇关于在onHeaders中编辑内容安全策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！