什么使不安全的脚本“不安全"? [英] What makes an unsafe script "unsafe"?

查看:124
本文介绍了什么使不安全的脚本“不安全"?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我是 chrome 扩展程序的新手.我正在编写一个小插件,可在用户按下按钮时放大页面(非常).但是,除非我允许不安全的脚本,否则它不会运行,并且它不会转移到新页面,表面上是因为不安全的脚本.我所做的只是缩放.

I'm new to chrome extensions. I'm writing a little plug-in that zooms in a page when the user presses a button (very new). However, it won't run unless I allow unsafe scripts and it won't carry over to new pages, ostensibly because of the unsafe scripts. All I'm doing is zooming.

我真正想知道的是,如果不是询问信息或直接访问他们的计算机,什么会使脚本不安全?

What I really want to know is, if it is not asking for information or directly accessing their computer, what makes a script unsafe?

推荐答案

导致脚本对于 Google 扩展程序不安全的三个原因:

There are three things making a script unsafe for Google extensions:

这是一个常见的初学者错误(我已经犯了).您不能放置内联 JavaScript 语句.例如,您不能以这种方式处理事件:

It's a common beginer mistake (I have made it). You can't put inline JavaScript statements. For example, you can't handle event this way:

<img src="myImage.jpg" onclick="doSomething()">

正确的做法是为您的 DOM 元素(我的示例中的图像)定义一个 Id,并在单独的 JavaScript 文件中设置事件处理程序:

The correct way to do this is to do define an Id for your DOM element, the image in my example, and to set the event handler in a separate JavaScript file:

page.html:

<img src="myImage.jpg" id="myImage">
<script src="script.js"></script>

script.js:

//In vanilla Javascript :
document.getElementById("myImage").onClick(doSomething);

//In JQuery
$("#myImage").on("click", doSomething);

Eval 及相关函数

所有可以将 String 即时评估为 JavaScript 的函数都是不安全的.所以eval函数是不允许的,比如new Function("return something.value");

只有本地脚本是安全的.例如,如果您使用 jQuery,则必须在扩展中包含该库.通过 CDN 链接加载外部库被认为是不安全的.

Only local scripts are safe. If you are using for example jQuery, you have to include the library in your extension. Loading external library via CDN links is considered as unsafe.

这是一个快速概述,您可以阅读有关此内容的更多信息,并对 Google Chrome 扩展程序中的此限制进行说明 内容安全政策

It's a quick overview, you can read more about this and have the explanations of this restrictions on Google Chrome extension Content Security Policy

这篇关于什么使不安全的脚本“不安全"?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆