如何在contentaccessible = yes时注入脚本失败 [英] How to inject script when contentaccessible=yes fails
问题描述
所以我想动态地插入一个脚本,它将调度一个自定义事件,我将我的插件听。但是,这里只是简单的例子,只需插入脚本提醒:
var aContentWindow = gBrowser.contentWindow;
var aContentDocument = aContentWindow.document;
var myScript = aContentDocument.createElement('script');
myScript.textContent ='alert(registered);'
aContentDocument.documentElement.appendChild(myScript);
所以我试图运行这个网站是twitter,它可以在其他网站上运行。所以我认为可以从addon作用域和chrome路径做到这一点,因为它的内容是 内容安全策略:页面的设置阻止了自我加载资源(script-src unsafe-inline''nonce -hnhqgKrLIxRgkHGdVqfgfA ==''unsafe-eval' https://twitter.com https:// * .twimg.com https://twitter.com https://ton.twitter.com https://platform.twitter.com https://syndication.twitter.com https://analytics.twitter.co m https://www.google-analytics.com https://ssl.google-analytics.com https://connect.facebook.net https://cm.g.doubleclick.net https://api.twitter.com https://graph.facebook.com https://www.google。 COM )。 twitter.com:562:0 第二个同时也是: 内容安全策略:页面的设置阻止了自我加载资源(script-src'unsafe-inline''nonce-hnhqgKrLIxRgkHGdVqfgfA ==''unsafe-eval' https://twitter.com https://ton.twitter.com https://platform.twitter.com https://syndication.twitter.com https://analytics.twitter.com https://www.google-analytics.com https://ssl.google-analytics.com < a href =https://connect.facebook.net =nofollow> https://connect.facebook.net https://cm.g.doubleclick.net https://api.twitter。 com https://graph.facebook.com https://www.google.com )。 想法如何得到这个脚本在那里? 您是否尝试了下标加载器,用包装的Jbject作为目标上下文,而不是操纵DOM? > 您可以尝试的另一件事是创建一个沙盒,将目标窗口指定为 这应该给你一个沙箱完全访问目标窗口,不应该抛出任何安全错误,因为它会使用 //developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Language_Bindings/Components.utils.evalInSandboxrel =nofollow> evalInSandbox ,或者使用下标加载器和沙箱作为目标的窗口。 I have to listen to a jquery event in a webpage. I can't attach a function from wrappedJSObject, becuase it has issues executing functions created in chrome scope. So I thought to dynamically insert a script, which will dispatch a custom event, which I will my addon listen for. But here's simple case, with just inserting script that alerts: So the site I am trying to run this on is twitter, it works on other sites. So I figured lets do this from addon scope with chrome path which had Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'unsafe-inline' 'nonce-hnhqgKrLIxRgkHGdVqfgfA==' 'unsafe-eval' https://twitter.com https://*.twimg.com https://twitter.com https://ton.twitter.com https://platform.twitter.com https://syndication.twitter.com https://analytics.twitter.com https://www.google-analytics.com https://ssl.google-analytics.com https://connect.facebook.net https://cm.g.doubleclick.net https://api.twitter.com https://graph.facebook.com https://www.google.com"). twitter.com:562:0 and a second one too at same time: Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'unsafe-inline' 'nonce-hnhqgKrLIxRgkHGdVqfgfA==' 'unsafe-eval' https://twitter.com https://*.twimg.com https://twitter.com https://ton.twitter.com https://platform.twitter.com https://syndication.twitter.com https://analytics.twitter.com https://www.google-analytics.com https://ssl.google-analytics.com https://connect.facebook.net https://cm.g.doubleclick.net https://api.twitter.com https://graph.facebook.com https://www.google.com"). Any ideas how to get this script in there? Have you tried the subscript loader, with the wrappedJSObject as target context, instead of manipulating the DOM? Another thing you could try is creating a sandbox, specify the target window as That should give you a sandbox with full access to the target window that shouldn't throw any security errors because it will use transparent wrappers. Once you have that sandbox you can try running your script inside the sandbox via evalInSandbox or using the subscript loader with the sandbox as target instead of the window. 这篇关于如何在contentaccessible = yes时注入脚本失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
lockquote>
sandboxPrototype
,将 wantXrays
指定为 false
并使用目标窗口的 document.domain
作为安全主体。
var aContentWindow = gBrowser.contentWindow;
var aContentDocument = aContentWindow.document;
var myScript = aContentDocument.createElement('script');
myScript.textContent = 'alert("registered");'
aContentDocument.documentElement.appendChild(myScript);
contentaccessible=true
so I did that, but it would still give me the error:
sandboxPrototype
, set wantXrays
to false
and use the target window's document.domain
as security principal.