如何将内容安全策略添加到Firefox扩展 [英] How to add Content Security Policy to Firefox extension
本文介绍了如何将内容安全策略添加到Firefox扩展的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个插件,我必须在Chrome浏览器和Firefox浏览器上同时支持。在Chrome浏览器中,通过在我的 manifest.json 文件中添加内容安全策略,我可以逃脱它。我怎样才能做到这一点Firefox扩展?解决方案我无法找到一个简单的解决方案,我的问题和查找一些Firefox插件扩展我不得不拿出我自己的解决方案如下。以下解决方案在FF 24.0上进行了测试,但也应该在其他版本上运行。
抄送[@ mozilla.org/observer-service;1\"].getService(Ci.nsIObserverService)
.addObserver(_httpExamineCallback,http-on-examine-response,false);
函数_httpExamineCallback(aSubject,aTopic,aData){
var httpChannel = aSubject.QueryInterface(Ci.nsIHttpChannel);
if(httpChannel.responseStatus!== 200){
return;
}
var cspRules;
var mycsp;
// thre不是干净的方法来检查csp头的存在。如果不存在,
将被抛出。
// https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIHttpChannel
尝试{
cspRules = httpChannel.getResponseHeader(Content-Security-Policy);
mycsp = _getCspAppendingMyHostDirective(cspRules);
httpChannel.setResponseHeader('Content-Security-Policy',mycsp,false);
} catch(e){
try {
//后备机制支持
cspRules = httpChannel.getResponseHeader(X-Content-Security-Policy);
mycsp = _getCspAppendingMyHostDirective(cspRules);
httpChannel.setResponseHeader('X-Content-Security-Policy',mycsp,false);
} catch(e){
//不定义csp头文件
return;
}
}
};
/ **
* @var cspRules:内容安全策略
*对于我的要求,我必须将规则附加到'script-src'指令。但是你可以
*修改这个函数来满足你的需要。
*
* /
函数_getCspAppendingMyHostDirective(cspRules){
var rules = cspRules.split(';'),
scriptSrcDefined = false,
defaultSrcIndex = -1; ();
$ b $ for(var ii = 0; ii< rules.length; ii ++){
if(rules [ii] .toLowerCase()。indexOf('script-src')! -1){
rules [ii] = rules [ii] +'<我的CSP规则被附加在这里>';
scriptSrcDefined = true; $(
)
if(rules [ii] .toLowerCase()。indexOf('default-src')!= -1){
defaultSrcIndex = ii;
//很少的发布者会把所有的东西放在默认的(default-src)指令中,
//不用定义script-src。我们也需要修改这些。
if((!scriptSrcDefined)&&(defaultSrcIndex!= -1)){
rules [defaultSrcIndex] = rules [defaultSrcIndex] +'<我的CSP规则被附加在这里>';
}
return rules.join(';');
};
I have a plugin which I have to support both on Chrome and Firefox browsers. The plugin does cross script loading.
In Chrome, by adding the content security policy in my manifest.json file, I could get away with it. How can I do it Firefox extension?
解决方案
I couldn't find a simple solution for my problem and upon looking up some firefox plugin extensions i had to come up with my own solution as below. The below solution was tested on FF 24.0 but should work on other versions as well.
Cc["@mozilla.org/observer-service;1"].getService(Ci.nsIObserverService)
.addObserver(_httpExamineCallback, "http-on-examine-response", false);
function _httpExamineCallback(aSubject, aTopic, aData) {
var httpChannel = aSubject.QueryInterface(Ci.nsIHttpChannel);
if (httpChannel.responseStatus !== 200) {
return;
}
var cspRules;
var mycsp;
// thre is no clean way to check the presence of csp header. an exception
// will be thrown if it is not there.
// https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIHttpChannel
try {
cspRules = httpChannel.getResponseHeader("Content-Security-Policy");
mycsp = _getCspAppendingMyHostDirective(cspRules);
httpChannel.setResponseHeader('Content-Security-Policy', mycsp, false);
} catch (e) {
try {
// Fallback mechanism support
cspRules = httpChannel.getResponseHeader("X-Content-Security-Policy");
mycsp = _getCspAppendingMyHostDirective(cspRules);
httpChannel.setResponseHeader('X-Content-Security-Policy', mycsp, false);
} catch (e) {
// no csp headers defined
return;
}
}
};
/**
* @var cspRules : content security policy
* For my requirement i have to append rule just to 'script-src' directive. But you can
* modify this function to your need.
*
*/
function _getCspAppendingMyHostDirective(cspRules) {
var rules = cspRules.split(';'),
scriptSrcDefined = false,
defaultSrcIndex = -1;
for (var ii = 0; ii < rules.length; ii++) {
if ( rules[ii].toLowerCase().indexOf('script-src') != -1 ) {
rules[ii] = rules[ii] + ' <My CSP Rule gets appended here>';
scriptSrcDefined = true;
}
if (rules[ii].toLowerCase().indexOf('default-src') != -1) {
defaultSrcIndex = ii;
}
}
// few publishers will put every thing in the default (default-src) directive,
// without defining script-src. We need to modify those as well.
if ((!scriptSrcDefined) && (defaultSrcIndex != -1)) {
rules[defaultSrcIndex] = rules[defaultSrcIndex] + ' <My CSP rule gets appended here>';
}
return rules.join(';');
};
这篇关于如何将内容安全策略添加到Firefox扩展的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
