Javascript，Chrome扩展程序：覆盖Cookie吸气剂和设置程序 [英] Javascript, Chrome extension: overriding cookie getter and setter

问题描述

编辑：在建议使用标题后，我问了一个类似的问题

我试图开发一个Chrome扩展程序，用于分析网站设置/检索的Cookie，如果

我想我必须重写cookie setter和getter。

我发现了类似的问题：

Cookie法，Cookie设置器& getter

在Google Chrome扩展程序中安全覆盖document.cookie

为document.cookie定义getter

检索document.cookie getter和setter

说我很困惑，我不再确定我想要做什么是可能的。

然而，特别是参考问题＃3，我试过来有一个简单的测试扩展覆盖cookie getter和setter与不做任何事情的函数（所以没有cookie应该设置，而这个扩展是活动的）。这些是扩展名的3个文件。

manifest.json

  {manifest_version：2，name：Test，description：测试扩展程序，version：1.0，permissions：[< all_urls>，tabs，webRequest ，webRequestBlocking]，background：{scripts：[background.js]}}  

background.js

  chrome.webRequest.onBeforeRequest.addListener（function .tabs.executeScript（null，{file：cookiescript.js}）;}，{urls：[< all_urls>]}，[blocking]）;  

cookiescript.js

  var old_cookie = document.cookie; Object.defineProperty（document，'cookie'，{get：function（）{console.log（'Get cookie ...'）; return''; }，set：function（val）{console.log（'Setting cookie ...'）; }}）; document.cookie = old_cookie;  

这在en.wikipedia.org，因为它设置各种cookie的时候，你访问它。但是，对于上述扩展，控制台日志将填充获取cookie ... 替换为未捕获的TypeError：无法重新定义属性：cookie ，当我检查存储的Cookie时，我可以看到维基百科创建了所有的cookies，无论我的扩​​展名。

错误似乎很清楚：你不能覆盖cookie setter和getter，

或者，我尝试使用这个版本的cookiescript.js，它采用（弃用） defineSetter 和 defineGetter

  var old_cookie = document.cookie ; document .__ defineSetter __（'cookie'，function（）{console.log（'Setting cookie ...'）;}）; document .__ defineGetter __（'cookie'，function（）{console.log 。'）; return（''）;}）; document.cookie = old_cookie;  

控制台日志会导致设置cookie ... 和获取cookie ... 的交替，但是，再次查看保存的Cookie，它似乎维基百科成功设置所有

任何人都能够指出我必须做什么才能成功地在中间的cookie设置/让我能阻止它，或解释我想要做的是不是不可能？

我的猜想是getter / setter的覆盖实际发生，但只有在网站设置/获得它的cookie，但我不知道如何确保我的覆盖发生第一，而不是（我想使用阻止 onBeforeRequest 会实现，但我似乎是错误）或者根本不可能这样做。

编辑：我以前提到了一个不同的扩展名列表cookie将无法检索他们，所以我以为我成功地overrode吸气剂。我错了，这个扩展程序被破坏了，当修复它显示所有的cookies。

解决方案

很难在这里重现轮子。引用文档：

使用 chrome.cookies API 查询和修改Cookie，以及在更改时通知。

我想，有时候你想阻止它，首先，让我们看看那个，但你必须明白如何 Cookie 工作。有两种cookie集合操作：

1. 由客户端， document.cookie 操作。然后你的方法可能有所帮助，但为了确保cookie被拦截，你不能依赖于程序化注入，它的确太慢了。您需要在资讯清单中使用适当的 run_at parameter ：

    content_scripts：[{
   matches：[< all_urls>]，
   js：[cookiescript.js]，
   run_at：document_start
   }] 
     / pre> 
    
    
   这将确保您的代码在页面上的任何之前执行（在DOM中甚至有任何东西之前）。
    




2. 由服务器作为HTTP响应的一部分。它甚至可以是不暴露给 document.cookie 的HTTP-Only cookie。

   
   
   

   ，但您需要使用 webRequest ，特别是阻止响应到 onHeadersReceived 可以检查和修改设置Cookie的标头，并阻止响应


>

EDIT: After being recommended to work with headers, I asked a similar question here.

I'm trying to develop a Chrome extension that analyzes cookies being set/retrieved by websites and, if a cookie doesn't meet certain requirements, stops it from being set/retrieved.

I figured I would have to override the cookie setter and getter.

I have found similar questions:

Cookie Law, Cookie setter & getter

Safely overriding document.cookie in Google Chrome extension

Defining a getter for document.cookie

Retrieving document.cookie getter and setter

Reading the answers I have to say I am quite confused and am no longer sure what I'm trying to do is even possible.

Nevertheless, referring to question #3 in particular, I tried coming up with a simple test extension that overrides cookie getter and setter with functions that don't do anything (so no cookie should ever be set while this extension is active). These are the 3 files the extension is made of.

manifest.json

{
  "manifest_version": 2,

  "name": "Test",
  "description": "Test extension",
  "version": "1.0",

  "permissions": [
    "<all_urls>",
    "tabs",
    "webRequest",
    "webRequestBlocking"
  ],

  "background": {
    "scripts": ["background.js"]
  }
}

background.js

chrome.webRequest.onBeforeRequest.addListener(
  function(details) {
    chrome.tabs.executeScript(null, {
      file: "cookiescript.js"
    });
  }, {
    urls: [
      "<all_urls>"
    ]
  }, ["blocking"]);

cookiescript.js

var old_cookie = document.cookie;

Object.defineProperty(document, 'cookie', {
  get: function() {
    console.log('Getting cookie...');
    return '';
  },
  set: function(val) {
    console.log('Setting cookie...');
  }
});

document.cookie = old_cookie;

I usually test this on en.wikipedia.org as it sets various cookies the moment you visit it. However, with the above extension, the console log becomes filled with Getting cookie... alternated with Uncaught TypeError: Cannot redefine property: cookie, and when I check cookies stored, I can see that Wikipedia created all the cookies it wanted regardless of my extension.

The error seems to speak clear: you can't override cookie setter and getter, but the fact that other questions (#3 in particular) were answered saying to do just that, I am not sure.

Alternatively, I tried using this version of cookiescript.js, which adopts the (deprecated) defineSetter and defineGetter

var old_cookie = document.cookie;

document.__defineSetter__('cookie', function() {
  console.log('Setting cookie...');
});
document.__defineGetter__('cookie', function() {
  console.log('Getting cookie...');
  return ('');
});

document.cookie = old_cookie;

Console log results in an alternation of Setting cookie... and Getting cookie..., but again, looking at cookies saved, it looks like Wikipedia successfully set all of its cookies.

Would anyone be able to point out what I'd have to do to successfully be in-between cookie setting/getting so that I could stop it, or explain if what I'm trying to do is just impossible?

My wild guess would be that the overriding of getter/setter actually happens, but only after the website set/got its cookies, but I'd have no idea how to make sure my overriding happens first instead (I figured the use of blocking onBeforeRequest would've achieved that, but I seem to be wrong), or if it's simply impossible to do so.

EDIT: I previously mentioned how a different extension to list cookies would not be able to retrieve them, so I thought I successfully overrode the getter. I was mistaken, this extension was broken, and when fixed it was displaying all the cookies.

解决方案

I think you're trying hard to reinvent the wheel here. Quoting the docs:

Use the chrome.cookies API to query and modify cookies, and to be notified when they change.

I get it that sometimes you want to prevent it in the first place, and let's take a look at that as well, but you've got to understand how cookies work. There are 2 kinds of cookie set operations:

1. By the client, by document.cookie manipulation. Then your approach may help, but to ensure that the cookie is intercepted you cannot rely on programmatic injection, it is indeed too slow. You need to declare it in the manifest with a proper run_at parameter:

   "content_scripts" : [{
     "matches" : ["<all_urls>"],
     "js": ["cookiescript.js"],
     "run_at": "document_start"
   }]
   

   This will ensure your code executes before anything else on the page (before there is even anything in the DOM).

2. By the server as part of the HTTP response. It may even be HTTP-Only cookie that's not exposed to document.cookie.

   You can intercept that as well, but you need to use webRequest for that, specifically a blocking response to onHeadersReceived can examine and modify headers that set cookies, and a blocking response to onBeforeSendHeaders can modify cookies reported to the server.

这篇关于Javascript，Chrome扩展程序：覆盖Cookie吸气剂和设置程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！