同源策略如何应用于浏览器扩展? [英] How does Same Origin Policy apply to browser extensions?

问题描述

鉴于浏览器扩展程序将信息从一个网页发送到完全不同的服务器，这是否违反了同源策略?

Given a browser extension that sends information from one webpage to an entirely different server, is this violating the same origin policy?

推荐答案

同源策略 (SOP) 适用于普通网页，而不是浏览器扩展，即使它们是用 JavaScript 编写的.当扩展代码不是来自服务器时，不同的服务器"是什么意思?(扩展脚本可能有某种来源，如 chrome-extension://longhashidentificationstr，但不是传统的域/来源.)与任何网页通信(除了那些具有 CORS 标头) 的扩展程序之外，SOP 不能绑定扩展程序.

The same-origin policy (SOP) appplies to ordinary web pages, not browser extensions, even if they are written in JavaScript. What does "different server" mean when the extension code does not origingate from a server? (The extension script might have some kind of orgin, like chrome-extension://longhashidentificationstr, but not an traditional domain/origin.) To communicate with any Web page (except those that have CORS headers), the extension cannot be bound by the SOP.

扩展并不完全违反"SOP；相反，SOP 不适用于他们.SOP 旨在限制可能由受损或恶意网页造成的损害.查看网页应该要求对该网页的零信任，因为访问网页非常容易.但是，安装扩展程序是用户较少做的事情，对用户的影响较大，因此要求对扩展程序有一定的信任并不是没有道理的.

Extensions don't exactly "violate" the SOP; instead, the SOP does not apply to them. The SOP is designed to limit damage that can be caused by a compromised or malicious Web page. Viewing a web page should require zero trust in the page, since it is so easy to visit a Web page. However, installing an extension is something users do less frequently and has larger impact on the user, so it's not unreasonable to require some trust in the extension.

这篇关于同源策略如何应用于浏览器扩展?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！