我的附加 SDK 内容脚本如何与网站页面脚本交互? [英] How can my Add-on SDK content script interact with a website page script?

问题描述

在我的 SDK 插件中，我想

In my SDK add-on, I'd like to

• 在页面脚本中调用函数
• 在页面脚本中导出、读取(获取)、写入(设置)或操作某些变量或属性
• 将新函数导出到页面脚本中或覆盖现有函数
• 或将自定义事件发布到页面脚本可以侦听的页面.

我的附加 SDK 内容脚本如何与网站通信?

How can my Add-on SDK content script communicate with a website?

推荐答案

与页面脚本交互的方式有很多种，其中最常用的在官方文档中有介绍，包括问题中列出的所有方式.

There are a multitude of ways to interact with page scripts, the most common of which are covered in the official documentation, including all of the ways listed in the question.

请阅读"与页面脚本交互".

但是，应该指出的是，以安全的方式与页面脚本交互可能很困难.请特别注意 unsafeWindow 被称为 unsafe 是有原因的:

However, it should be pointed out that interacting with page scripts in a secure fashion can be hard. Be particularly aware that unsafeWindow is called unsafe for a reason:

使用 unsafeWindow 时要小心:你不能依赖它的任何属性或功能是，或做，你所期望的.它们中的任何一个，甚至是 setter 和 getter，都可以由页面脚本重新定义.除非您信任该页面，否则不要使用它，即使这样也要小心.

Be careful using unsafeWindow: you can't rely on any of its properties or functions being, or doing, what you expect. Any of them, even setters and getters, could have been redefined by a page script. Don't use it unless you trust the page, and even then be careful.

此外，unsafeWindow 不是受支持的 API，因此可以在 SDK 的未来版本中删除或更改它.

Also, unsafeWindow isn't a supported API, so it could be removed or changed in a future version of the SDK.

从 unsafeWindow 读取数据或执行函数是安全的，因为它不能直接导致另一个(您的内容脚本)安全上下文中的代码执行.Javascript 引擎室将确保这一点.

Reading data from or executing functions of unsafeWindow is safe in the sense that it cannot directly lead to code execution in another (your content script) security context. The Javascript engine compartments will make sure of that.

但是，您绝对不能相信来自网站的数据，这是非常正确的.总是期望代码抛出，拒绝服务你用意想不到的无限循环或类似的.并且永远不要在内容脚本的上下文中显式或隐式地eval评估代码.

But it is very true that you must never trust data coming from a website. Always expect code to throw, Denial-of-service you with unexpected infinite loops or similar. And never ever explicitly or implicitly evaluate code in the context of your content script.

另外，永远不要认为你真的可以信任一个网站，即使它是你自己的网站.网站可能会遭到入侵(黑客入侵)，所有者可能会在未来更改，数据可能会在途中更改(主动中间人攻击)，或者其他附加组件可能对其进行了修改，等等.

Also, never think you can actually trust a website, even it it is your own website. Websites can be compromised (hacked), owners can change in the future, the data could be changed en route (active Man-In-The-Middle attacks), or another add-on could have modified it, etc.

这篇关于我的附加 SDK 内容脚本如何与网站页面脚本交互?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！