Chrome扩展程序XMLHttpRequest：内容安全政策指令 [英] Chrome extension XMLHttpRequest: Content Security Policy directive

问题描述

我尝试从我的Chrome扩展程序背景页面的网站访问数据。但是，我不断收到错误。

我打包了扩展，并通过拖放到chrome：// extensions来安装它。它确实要求我允许查看所有网站。

清单：

 permissions：[webNavigation，tabs，*：// * / *，http://www.google.com/]，
  
 
 
 
 Background.js： 
 
 
  chrome.browserAction。 onClicked.addListener（function（tab）{
 
 var xhr = new XMLHttpRequest（）; 
 xhr.open（'GET'，http://www.google.com，true ）; 
 xhr.send（）; 
 
} 
  
错误
 
 
 
拒绝连接到 http://www.google .com / ，因为它违反了以下内容安全策略指令：default-src'none'。请注意，'connect-src'没有明确设置，所以'default-src'被用作后备。
 
 
 
 browserAction.onClicked的事件处理程序错误：SecurityError：未能在'XMLHttpRequest'上执行'open'：拒绝连接到' http://www.google.com/ '，因为它违反了文档的内容安全政策。     
解决方案
这两个错误分别发生是因为您试图向页面发出请求而不询问相关权限，这些权限必须在 您的扩展程序清单中的content_security_policy（CSP）字段，并且因为您尝试连接到不安全的源：您需要通过<$ c $获取页面c> https：//  ，否则Chrome会拒绝您的请求。您的CSP字段在清单中应该看起来像这样：
 
 $ b 
 content_security_policy：default-src'self 'https://google.com'
  
请参阅Chrome扩展开发者指南中关于CSP的具体信息这里和W3C文档 here。
 
 
 
 
 
 
无论如何，即使配置正确CSP并通过 https加载， Google仍然不允许您在其某些页面上制作 XMLHttpRequest  （例如主要页面，即您尝试访问的主页面），也不会将它们加载到< iframe>   ，所以即使做得很好，请求将在服务器端被阻止，从而在JavaScript中产生以下错误： 
 
 
  Uncaught NetworkError：未能在'XMLHttpRequest'上执行'发送'：未能加载'https://google.com/'。 
  
说明了上述情况，，因为无法加载/请求 https://www.google.com/ ，您只需放弃您希望创建的任何脚本。
。
I am trying to access data from a website in my Chrome extension background page. However, I keep getting an error. 

I packed the extension and installed it by drag-n-drop into chrome://extensions. It does ask me for permission to view all websites.

Manifest:
"permissions": ["webNavigation", "tabs", "*://*/*", "http://www.google.com/"],
Background.js:
chrome.browserAction.onClicked.addListener(function(tab) {

    var xhr = new XMLHttpRequest();
    xhr.open('GET', "http://www.google.com", true);
    xhr.send();

}
Errors

Refused to connect to 'http://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Error in event handler for browserAction.onClicked: SecurityError: Failed to execute 'open' on 'XMLHttpRequest': Refused to connect to 'http://www.google.com/' because it violates the document's Content Security Policy.
解决方案
Those two errors happen respectively because you're trying to make a request to a page without asking for the relative permissions, which have to be set in the "content_security_policy" (CSP) field of your extension's manifest, and because you're trying to connect to an insecure source: you need to GET the page over https:// if you want to make it work, otherwise Chrome will reject your request.

Your CSP field in the manifest should look something like this:
"content_security_policy": "default-src 'self' https://google.com"
See specific information about the CSP at the Chrome extension developer guide here and in the W3C documentation here.



Anyway, even configuring the right CSP and loading over https, Google still doesn't let you make XMLHttpRequests to some of their pages (like the main page, which is the one you're trying to access) nor load them inside an <iframe>, so even doing all right, the request will be blocked on the server side, producing the following error in JavaScript:
Uncaught NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'https://google.com/'.
Stated the above, since that it isn't possible to load/request https://www.google.com/ directly, you just have to abandon any script you wish to create which involves doing so.

                        
这篇关于Chrome扩展程序XMLHttpRequest：内容安全政策指令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！