Chrome 扩展 - 内容安全策略 - 执行内联代码 [英] Chrome Extension - Content Security Policy - executing inline code

问题描述

我在我的 chrome 扩展中使用了一个外部 JavaScript 库.我有内联执行，所以我得到以下类型的错误

I am using an external JavaScript lib in my chrome extension. I has inline execution, so I get following kind of error

(我在控制台上遇到的错误)

(The error I get on console)

拒绝执行 JavaScript URL，因为它违反了以下内容内容安全策略指令:script-src 'self'chrome-extension://".要么是'unsafe-inline'关键字，一个哈希('sha256-...') 或 nonce ('nonce-...') 需要启用内联执行.

Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension://". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

错误消息清楚地表明有可能的解决方法.

The error message clearly says there is a work-around possible.

Chrome 内容安全政策表示不可能.许多相关问题引用了此链接.

Chrome-Content Security Policy says not possible. Many related question cited this link.

博客 这位博主说这是可能的，但可能这仅适用于较旧的 chrome 扩展程序.

Blog This blogger says it is possible, but probably this is applicable to only older chrome extension.

任何可能的解决方法?

PS:不想/不能改变我正在使用的整个库.

PS: don't wanna/can't change the entire library I am using.

如何使用哈希或随机数来启用内联执行.

how to use hash or nonce to enable inline execution.

推荐答案

不，这不可能放宽此政策. unsafe-inline 被 Chrome 特别忽略自清单版本 2 以来的扩展.

No, this is not possible to relax this policy. unsafe-inline is specifically ignored by Chrome Extensions since manifest version 2.

文档(重点是我的):

没有机制可以放宽对执行内联 JavaScript 的限制.特别是，设置包含unsafe-inline"的脚本策略将不起作用.

There is no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.

错误消息提到了几种可能的方法，但文档明确指出没有 CSP 将允许内联脚本，而忽略 unsafe-inline 只是其中一种措施.

The error message mentions several possible ways, but the docs are clear that no CSP will allow inline scripting, and ignoring unsafe-inline is but one of the measures.

从 Chrome 46 开始，可以通过在政策中指定源代码的 base64 编码哈希来将内联脚本列入白名单.该散列必须以使用的散列算法(sha256、sha384 或 sha512)作为前缀.有关示例，请参阅元素的哈希用法.

As of Chrome 46, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). See Hash usage for elements for an example.

请参阅此答案以更深入地了解白名单.

See this answer for more in-depth look at whitelisting.

这篇关于Chrome 扩展 - 内容安全策略 - 执行内联代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！