如何在contentaccessible = yes时注入脚本失败 [英] How to inject script when contentaccessible=yes fails

问题描述

我必须在网页上听jquery事件。我无法从wrappedJSObject附加一个函数，因为它有执行在chrome范围中创建的函数的问题。

所以我想动态地插入一个脚本，它将调度一个自定义事件，我将我的插件听。但是，这里只是简单的例子，只需插入脚本提醒：

  var aContentWindow = gBrowser.contentWindow; 
 var aContentDocument = aContentWindow.document; 
 
 var myScript = aContentDocument.createElement（'script'）; 
 myScript.textContent ='alert（registered）;'
 
 aContentDocument.documentElement.appendChild（myScript）; 
  

所以我试图运行这个网站是twitter，它可以在其他网站上运行。所以我认为可以从addon作用域和chrome路径做到这一点，因为它的内容是 contentaccessible = true 所以我这样做了，但是仍然会给我错误：

lockquote>

内容安全策略：页面的设置阻止了自我加载资源（script-src unsafe-inline''nonce -hnhqgKrLIxRgkHGdVqfgfA ==''unsafe-eval' https://twitter.com https：// * .twimg.com https://twitter.com https://ton.twitter.com https://platform.twitter.com https://syndication.twitter.com https://analytics.twitter.co m https://www.google-analytics.com https://ssl.google-analytics.com https://connect.facebook.net https://cm.g.doubleclick.net https://api.twitter.com https://graph.facebook.com https://www.google。 COM ）。 twitter.com:562:0

第二个同时也是：

内容安全策略：页面的设置阻止了自我加载资源（script-src'unsafe-inline''nonce-hnhqgKrLIxRgkHGdVqfgfA ==''unsafe-eval' https://twitter.com https://ton.twitter.com https://platform.twitter.com https://syndication.twitter.com https://analytics.twitter.com https://www.google-analytics.com https://ssl.google-analytics.com < a href =https://connect.facebook.net =nofollow> https://connect.facebook.net https://cm.g.doubleclick.net https：//api.twitter。 com https://graph.facebook.com https://www.google.com ）。

想法如何得到这个脚本在那里？

解决方案

您是否尝试了下标加载器，用包装的Jbject作为目标上下文，而不是操纵DOM？ >

---

您可以尝试的另一件事是创建一个沙盒，将目标窗口指定为 sandboxPrototype ，将 wantXrays 指定为 false 并使用目标窗口的 document.domain 作为安全主体。

这应该给你一个沙箱完全访问目标窗口，不应该抛出任何安全错误，因为它会使用 //developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Language_Bindings/Components.utils.evalInSandboxrel =nofollow> evalInSandbox ，或者使用下标加载器和沙箱作为目标的窗口。

I have to listen to a jquery event in a webpage. I can't attach a function from wrappedJSObject, becuase it has issues executing functions created in chrome scope.

So I thought to dynamically insert a script, which will dispatch a custom event, which I will my addon listen for. But here's simple case, with just inserting script that alerts:

var aContentWindow = gBrowser.contentWindow;
var aContentDocument = aContentWindow.document;

var myScript = aContentDocument.createElement('script');
myScript.textContent = 'alert("registered");'

aContentDocument.documentElement.appendChild(myScript);

So the site I am trying to run this on is twitter, it works on other sites.

So I figured lets do this from addon scope with chrome path which had contentaccessible=true so I did that, but it would still give me the error:

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'unsafe-inline' 'nonce-hnhqgKrLIxRgkHGdVqfgfA==' 'unsafe-eval' https://twitter.com https://*.twimg.com https://twitter.com https://ton.twitter.com https://platform.twitter.com https://syndication.twitter.com https://analytics.twitter.com https://www.google-analytics.com https://ssl.google-analytics.com https://connect.facebook.net https://cm.g.doubleclick.net https://api.twitter.com https://graph.facebook.com https://www.google.com"). twitter.com:562:0

and a second one too at same time:

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'unsafe-inline' 'nonce-hnhqgKrLIxRgkHGdVqfgfA==' 'unsafe-eval' https://twitter.com https://*.twimg.com https://twitter.com https://ton.twitter.com https://platform.twitter.com https://syndication.twitter.com https://analytics.twitter.com https://www.google-analytics.com https://ssl.google-analytics.com https://connect.facebook.net https://cm.g.doubleclick.net https://api.twitter.com https://graph.facebook.com https://www.google.com").

Any ideas how to get this script in there?

解决方案

Have you tried the subscript loader, with the wrappedJSObject as target context, instead of manipulating the DOM?

---

Another thing you could try is creating a sandbox, specify the target window as sandboxPrototype, set wantXrays to false and use the target window's document.domain as security principal.

That should give you a sandbox with full access to the target window that shouldn't throw any security errors because it will use transparent wrappers.

Once you have that sandbox you can try running your script inside the sandbox via evalInSandbox or using the subscript loader with the sandbox as target instead of the window.

这篇关于如何在contentaccessible = yes时注入脚本失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！