谷歌浏览器扩展制作中的内容安全策略错误 [英] Content-Security-Policy error in google chrome extension making
问题描述
我正在制作一个 chrome 扩展程序,它将在新标签页中打开页面上的所有链接.
I am making a chrome extension that will open all links on a page in new tabs.
这是我的代码文件:
manifest.json
manifest.json
{
"name": "A browser action which changes its icon when clicked.",
"version": "1.1",
"permissions": [
"tabs", "<all_urls>"
],
"browser_action": {
"default_title": "links", // optional; shown in tooltip
"default_popup": "popup.html" // optional
},
"content_scripts": [
{
"matches": [ "<all_urls>" ],
"js": ["background.js"]
}
],
"manifest_version": 2
}
popup.html
<!doctype html>
<html>
<head>
<title>My Awesome Popup!</title>
<script>
function getPageandSelectedTextIndex()
{
chrome.tabs.getSelected(null, function(tab) {
chrome.tabs.sendRequest(tab.id, {greeting: "hello"}, function (response)
{
console.log(response.farewell);
});
});
}
chrome.browserAction.onClicked.addListener(function(tab) {
getPageandSelectedTextIndex();
});
</script>
</head>
<body>
<button onclick="getPageandSelectedTextIndex()">
</button>
</body>
</html>
背景.js
chrome.extension.onRequest.addListener(
function(request, sender, sendResponse) {
console.log(sender.tab ?
"from a content script:" + sender.tab.url :
"from the extension");
if (request.greeting == "hello")
updateIcon();
});
function updateIcon() {
var allLinks = document.links;
for (var i=0; i<allLinks.length; i++) {
alllinks[i].style.backgroundColor='#ffff00';
}
}
最初我想突出显示页面上的所有链接或以某种方式标记它们;但我收到错误由于内容安全策略而拒绝执行内联脚本".
Initially I wanted to highlight all the links on the page or mark them in some way; but I get the error "Refused to execute inline script because of Content-Security-Policy".
当我按下弹出窗口内的按钮时,出现此错误:Refused to execute inline event handler because of Content-Security-Policy
.
When I press the button inside the popup, I get this error: Refused to execute inline event handler because of Content-Security-Policy
.
请帮助我修复这些错误,以便我可以使用我的 chrome 扩展程序在新标签页中打开所有链接.
Please help me fix these errors, so I can open all links in new tabs using my chrome extension.
推荐答案
"manifest_version": 2
的后果之一是 内容安全策略 默认启用.而 Chrome 开发人员选择对此严格要求并始终禁止内联 JavaScript 代码——只允许执行放置在外部 JavaScript 文件中的代码(以防止 扩展中的跨站脚本漏洞).因此,与其在 popup.html
中定义 getPageandSelectedTextIndex()
函数,不如将其放入 popup.js
文件并将其包含在 中popup.html
:
One of the consequences of "manifest_version": 2
is that Content Security Policy is enabled by default. And Chrome developers chose to be strict about it and always disallow inline JavaScript code - only code placed in an external JavaScript file is allowed to execute (to prevent Cross-Site Scripting vulnerabilities in extensions). So instead of defining getPageandSelectedTextIndex()
function in popup.html
you should put it into a popup.js
file and include it in popup.html
:
<script type="text/javascript" src="popup.js"></script>
并且 也必须更改,
onclick
属性也是一个内联脚本.您应该指定一个 ID 属性:.然后在
popup.js
中,您可以将事件处理程序附加到该按钮:
And <button onclick="getPageandSelectedTextIndex()">
has to be changed as well, onclick
attribute is also an inline script. You should assign an ID attribute instead: <button id="button">
. Then in popup.js
you can attach an event handler to that button:
window.addEventListener("load", function()
{
document.getElementById("button")
.addEventListener("click", getPageandSelectedTextIndex, false);
}, false);
这篇关于谷歌浏览器扩展制作中的内容安全策略错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!