我的附加SDK内容脚本如何与网站页脚本交互？ [英] How can my Add-on SDK content script interact with a website page script?

问题描述

在我的SDK插件中，我想要

• 在页面脚本中调用一个函数


• 导出，读取（获取），写入（设置）或操作页面脚本中的某个变量或属性
  
• 将新函数导出或覆盖页面中的现有函数脚本


• 或将自定义事件发布到页面脚本可以侦听的页面中。

我的Add-on SDK内容脚本如何与网站进行通信？

解决方案

有很多方法可以与页面脚本，其中最常见的是官方文档，包括所有问题中列出的方式。

请阅读与页面脚本交互。

然而，应该指出的是，在页面脚本中进行交互一个安全的时尚可能很难。要特别注意的是 unsafeWindow 被称为 unsafe 是有原因的：

小心使用unsafeWindow：你不能依赖任何它的属性或函数，或者做你期望的。其中任何一个，甚至是setter和getter，都可以通过页面脚本重新定义。另外，unsafeWindow不是一个受支持的API，所以它可以被删除或更改未来版本的SDK。

读取或执行 unsafeWindow 是安全的，因为它不能直接导致另一个（你的内容脚本）安全上下文中的代码执行。 JavaScript引擎隔间将确保这一点。

但是，您绝不能相信来自网站的数据。
总是期望代码被抛出，拒绝服务你意外的无限循环或类似的。在内容脚本的上下文中永远都不会显式或隐式地 code> eval uate code。

另外，永远不要想你实际上可以信任一个网站，即使它是你自己的网站。网站可能会受到攻击（黑客入侵），所有者可能会在将来更改，数据可能会在路由中更改（主动中间人攻击），或者其他插件可能已经对其进行了修改等。

In my SDK add-on, I'd like to

• call a function in a page script
• export, read (get), write (set) or manipulate some variable or property in a page script
• export a new function to or override an existing function in a page script
• or post a custom event to a page that the page script can listen for.

How can my Add-on SDK content script communicate with a website?

解决方案

There are a multitude of ways to interact with page scripts, the most common of which are covered in the official documentation, including all of the ways listed in the question.

Please read "Interacting with page scripts".

However, it should be pointed out that interacting with page scripts in a secure fashion can be hard. Be particularly aware that unsafeWindow is called unsafe for a reason:

Be careful using unsafeWindow: you can't rely on any of its properties or functions being, or doing, what you expect. Any of them, even setters and getters, could have been redefined by a page script. Don't use it unless you trust the page, and even then be careful.

Also, unsafeWindow isn't a supported API, so it could be removed or changed in a future version of the SDK.

Reading data from or executing functions of unsafeWindow is safe in the sense that it cannot directly lead to code execution in another (your content script) security context. The Javascript engine compartments will make sure of that.

But it is very true that you must never trust data coming from a website. Always expect code to throw, Denial-of-service you with unexpected infinite loops or similar. And never ever explicitly or implicitly evaluate code in the context of your content script.

Also, never think you can actually trust a website, even it it is your own website. Websites can be compromised (hacked), owners can change in the future, the data could be changed en route (active Man-In-The-Middle attacks), or another add-on could have modified it, etc.

这篇关于我的附加SDK内容脚本如何与网站页脚本交互？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！