同源策略如何适用于浏览器扩展? [英] How does Same Origin Policy apply to browser extensions?
问题描述
同源策略(SOP)适用于普通网页,而不是浏览器扩展,即使它们是用JavaScript编写的。当扩展代码不是从服务器发出时,不同的服务器是什么意思? (扩展脚本可能有某种类型的orgin,例如 chrome-extension:// longhashidentificationstr ,但不是传统的域名/来源。)要与进行通信,任何网页(除了那些有 CORS标题),扩展名不能由SOP绑定。
扩展并不完全违反SOP;相反,SOP 不适用于。 SOP旨在限制受损或恶意网页可能导致的损害。查看网页应该在页面中需要零信任,因为访问网页非常简单。但是,安装扩展是用户不太经常做的事情,对用户有更大的影响,所以要求对扩展进行一定的信任并不是不合理的。
Given a browser extension that sends information from one webpage to an entirely different server, is this violating the same origin policy?
The same-origin policy (SOP) appplies to ordinary web pages, not browser extensions, even if they are written in JavaScript. What does "different server" mean when the extension code does not origingate from a server? (The extension script might have some kind of orgin, like chrome-extension://longhashidentificationstr, but not an traditional domain/origin.) To communicate with any Web page (except those that have CORS headers), the extension cannot be bound by the SOP.
Extensions don't exactly "violate" the SOP; instead, the SOP does not apply to them. The SOP is designed to limit damage that can be caused by a compromised or malicious Web page. Viewing a web page should require zero trust in the page, since it is so easy to visit a Web page. However, installing an extension is something users do less frequently and has larger impact on the user, so it's not unreasonable to require some trust in the extension.
这篇关于同源策略如何适用于浏览器扩展?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
