Chrome扩展的内容安全策略问题 [英] content security policy issue with chrome extension
问题描述
//此javascript已注册在html文件中,并且LoadFunction在DOMContentLoaded事件中注册,点击按钮。
void LoadFunction()
{
window.parent.document.getElementById(page_data ).src ='data:application / pdf; base64,'+'base64编码的数据'; (base64数据是从c ++类接收的)
}
但是只要上面的函数被调用时,会引发内容安全策略错误:
拒绝从'data:application / pdf; base64,JVBERi0xLjQNCiXi48 / TDQoxIDAgb2JqDQo8PA0KL1R5cGU加载插件数据... mRvYmoNCjkgMCBvYmoNCjw8DQovVHlwZSAvRm9udA0KL1N1YnR5cGUgL1R5cGUxDQovQmFzZUZ '因为它违反了以下内容安全策略指令:default-src'self'
但奇怪的是,当数据url被更改时不会引发这个错误到:'data:image / png; base64,'+'base64编码的数据';并且图像被成功加载到iframe。
据我所知,只有内联代码直接执行到html文件中时才会引发错误,但这里并不是这种情况,如果是这种情况,那么为什么它不会为图像文件引发。
另外,如果我尝试设置内容中的内容安全策略est.json文件为:
content_security_policy:script-src'self'; object-src'self'; frame-src'self'data:
然后错误更改为:
拒绝从'data:application / pdf加载插件数据; base64,因为它违反了以下内容安全策略指令:object-src'self'
可能需要设置object-src,但不知道它应该是什么。
解决方案根据Chrome扩展的内容安全政策,
$ b
请注意,两者脚本src和object-src由策略定义。 Chrome不会接受不会将这些值限制为(至少)自我的政策。
它不是可以放宽您的extemsion的CSP接受PDF。
然而 ...
您可以定义一个沙盒扩展资源,即扩展中不受扩展CSP影响的页面。同时,该页面将失去对Chrome扩展程序API的访问权限,以防止网页中的安全漏洞。如果您希望在扩展程序和沙盒页面之间进行通信,请使用 postMessage - 例如如在Chrome扩展中使用eval所示。安全地。。
Trying to load different contents(can be pdf, swf etc.) in an 'iframe' through javascript in an chrome extension application. The content is loaded using the data URL scheme as :
// this javascript is registered in the html file and the LoadFunction is registered inside the DOMContentLoaded event on the click of a button.
void LoadFunction()
{
window.parent.document.getElementById("page_data").src = 'data:application/pdf;base64,' + 'base64 encoded data'; (base64 data is received from a c++ class)
}
but as soon as above function is called, a content security policy error is raised as :
Refused to load plugin data from 'data:application/pdf;base64,JVBERi0xLjQNCiXi48/TDQoxIDAgb2JqDQo8PA0KL1R5cGU…mRvYmoNCjkgMCBvYmoNCjw8DQovVHlwZSAvRm9udA0KL1N1YnR5cGUgL1R5cGUxDQovQmFzZUZ' because it violates the following Content Security Policy directive: "default-src 'self'
But surprisingly this error is NOT raised when the data url is changed to : 'data:image/png;base64,' + 'base64 encoded data'; and the image gets loaded into iframe successfully.
As far as i know, this error is raised only when inline code is executed directly into html file but this isn't the case here and if that is the case then why it does not gets raised for image files.
Also if i try setting the content security policy in the manifest.json file as : "content_security_policy": "script-src 'self'; object-src 'self' ; frame-src 'self' data:"
then the error changes to : Refused to load plugin data from 'data:application/pdf;base64,' because it violates the following Content Security Policy directive: "object-src 'self'
so probably object-src needs to be set, but not sure what it should be.
According to the documentation of the Chrome extension's Content Security Policy,
Note that both script-src and object-src are defined by the policy. Chrome will not accept a policy that doesn't limit each of these values to (at least) 'self'.
It is not possible to relax your extemsion's CSP to accept the PDF.
However...
You can define a sandboxed extension resource, i.e. a page within your extension that is not affected by the extension's CSP. At the same time, the page will lose its access to the Chrome extension API, to protect against security vulnerabilities in your page. If you wish to communicate between your extension and the sandboxed page, use postMessage - e.g. as shown at Using eval in Chrome Extensions. Safely..
这篇关于Chrome扩展的内容安全策略问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
