Chrome 扩展:不安全的 JavaScript 尝试使用 URL 访问框架 域、协议和端口必须匹配 [英] Chrome Extension: Unsafe JavaScript attempt to access frame with URL Domains, protocols and ports must match

问题描述

此答案指定说明如何访问 gmail.com 上所有 iframe 的内容 https://stackoverflow.com/a/9439525/222236

This answer specifies explains how to access the content of all iframes on gmail.com https://stackoverflow.com/a/9439525/222236

但是在 mail.google.com 上它会抛出这个错误:

But on mail.google.com it throws this error:

Unsafe JavaScript attempt to access frame with URL https://plus.google.com/u/0/_/... from frame with URL https://mail.google.com/mail/u/0/#inbox. Domains, protocols and ports must match.

我尝试将 *://plus.google.com/* 添加到扩展程序清单的匹配项中，但没有帮助.

I tried adding *://plus.google.com/* to the matches of the manifest of the extension, but it didn't help.

更新:在访问内容之前检查 url 有效，但目前我的逻辑非常粗略，因为它只检查 google plus:

Update: Checking for the url before accessing the content works, but my logic is very crude at the moment as it only checks for google plus:

        if(-1==iframes[i].src.indexOf('plus.google.com')) {
            contentDocument = iframes[i].contentDocument;
            if (contentDocument && !contentDocument.rweventsadded73212312) {
                // add poller to the new iframe
                checkForNewIframe(iframes[i].contentDocument);
            }
        }

推荐答案

由于同源导致访问被阻止政策.
避免错误的正确方法是排除来自不同来源的帧.你的逻辑确实很粗糙.它不专门查看主机名，也不考虑其他域.
反转逻辑以获得稳健的解决方案:

Access is blocked due to the same origin policy.
The right way to avoid the error is to exclude the frames from a different origin. Your logic is very crude indeed. It does not specifically look in the host name, and it doesn't account for other domains.
Invert the logic to have a robust solution:

if (iframes[i].src.indexOf(location.protocol + '//' + location.host) == 0 ||
    iframes[i].src.indexOf('about:blank') == 0 || iframes[i].src == '') {

这个白名单的解释:

• protocol://host/ = https://mail.google.com.
  显然，必须允许当前主机
• about:blank 和一个空字符串
  这些框架由 GMail 动态创建和编写脚本.

• protocol://host/ = https://mail.google.com.
  Obviously, the current host has to be allowed
• about:blank and an empty string
  These frames are dynamically created and scripted by GMail.

这篇关于Chrome 扩展:不安全的 JavaScript 尝试使用 URL 访问框架 域、协议和端口必须匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！