是什么使不安全脚本“不安全"? [英] What makes an unsafe script "unsafe"?

查看:172
本文介绍了是什么使不安全脚本“不安全"?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我是chrome扩展程序的新手.我正在编写一个小插件,当用户按下按钮(非常新功能)时,该插件可以放大页面.但是,除非我允许使用不安全的脚本,否则它将不会运行,而且表面上也不会由于不安全的脚本而延续到新页面.我正在做的只是缩放.

I'm new to chrome extensions. I'm writing a little plug-in that zooms in a page when the user presses a button (very new). However, it won't run unless I allow unsafe scripts and it won't carry over to new pages, ostensibly because of the unsafe scripts. All I'm doing is zooming.

我真正想知道的是,如果它不询问信息或不直接访问他们的计算机,是什么使脚本不安全?

What I really want to know is, if it is not asking for information or directly accessing their computer, what makes a script unsafe?

推荐答案

要使脚本对Google扩展程序来说是不安全的,有三点:

There are three things making a script unsafe for Google extensions:

这是一个常见的初学者错误(我犯了).您不能放入内联JavaScript语句.例如,您不能以这种方式处理事件:

It's a common beginer mistake (I have made it). You can't put inline JavaScript statements. For example, you can't handle event this way:

<img src="myImage.jpg" onclick="doSomething()">

正确的方法是为您的DOM元素(在我的示例中为图片)定义一个ID,并在单独的JavaScript文件中设置事件处理程序:

The correct way to do this is to do define an Id for your DOM element, the image in my example, and to set the event handler in a separate JavaScript file:

page.html:

page.html:

<img src="myImage.jpg" id="myImage">
<script src="script.js"></script>

script.js:

script.js:

//In vanilla Javascript :
document.getElementById("myImage").onClick(doSomething);

//In JQuery
$("#myImage").on("click", doSomething);

评估和相关功能

所有可以即时将String评估为JavaScript的函数都是不安全的. 因此,不允许使用eval函数,例如new Function("return something.value");

Eval and related functions

All functions that can evaluate String as JavaScript in the fly are unsafe. So the eval function is not allowed, such as new Function("return something.value");

只有本地脚本是安全的.例如,如果使用的是jQuery,则必须在扩展中包括该库.通过CDN链接加载外部库被认为是不安全的.

Only local scripts are safe. If you are using for example jQuery, you have to include the library in your extension. Loading external library via CDN links is considered as unsafe.

这是一个快速的概述,您可以阅读有关此内容的更多信息,并获得有关Google Chrome扩展程序 内容安全政策

It's a quick overview, you can read more about this and have the explanations of this restrictions on Google Chrome extension Content Security Policy

这篇关于是什么使不安全脚本“不安全"?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆