Chrome扩展程序中iframe的不安全Javascript访问 [英] Unsafe Javascript Access from Iframe in Chrome Extension

问题描述

我正在构建一个Chrome扩展程序，该扩展程序将使用加载Flash内容的Iframe。在Iframe中使用Mootools，我创建一个.swf对象，然后将其注入到自身中。这个Iframe，main.html插入的Flash对象如下所示：

$ $ $ $ $ $ $ c $ window.addEvent（domready，function（） {
var flashContainer = $（flash-container）;
$ b $ new Swiff（http://www.example.com/content.swf，{
（flashContainer）;
width：100％，
height：90％，
id }）;

产生以下错误：

不安全的JavaScript尝试从URL http://www.example.com/main.html 。域，协议和端口必须匹配。

当我删除代码的注入部分时，我没有得到错误。另外，当我使用注入其他非Flash元素，如div，我没有得到错误。我也尝试过使用纯ol的appendChild javascript方法来获得相同的错误。

任何想法，为什么我会只在闪存对象上得到这个错误？有没有办法添加这个flash元素，而不会得到这个错误？

解决方案

<@> MishcaNix和@serg是正确的。

任何跨域调用不是JSONP的资源都会引发这个安全错误。您需要找到一种方法将SWF内容注入到与swf文件相同的域中的页面上，或者使用SWF（如果它是静态的）并使其成为数据URL（data：application / x-swf; base64或者其他）。 - MischaNix

每当一个flash对象嵌入到跨域iframe中时，它将引发跨域异常。对于Youtube和Vimeo来说，这是真的。

例如，用嵌入的iFrame检查这个jsfiddle： http://jsfiddle.net/bkCdB/

 < object width = 420height =315>< param name =movievalue =http://www.youtube.com/v/6V_DsL1x1uY?version=3&amp;hl=en_US>< / param>< param name =allowFullScreenvalue =true>< / param>< param name =allowscriptaccessvalue =always>< / param>< embed src = //www.youtube.com/v/6V_DsL1x1uY?version=3&amp;hl=zh_CNtype =application / x-shockwave-flashwidth =420height =315allowscriptaccess =alwaysallowfullscreen = 真 >< /嵌入>< /对象> 
  

I'm building a Chrome Extension that will be using Iframes that load Flash content. Using Mootools in the Iframe, I'm creating a .swf object and then injecting it into itself. This Iframe, main.html, is inserting the flash object like so:

window.addEvent("domready", function () {
    var flashContainer = $("flash-container");

    new Swiff("http://www.example.com/content.swf", {
        "width":"100%",
        "height":"90%",
        "id":"flash-content"
    }).inject(flashContainer);
});

This produces the following error:

Unsafe JavaScript attempt to access frame with URL chrome-extension://......../index.html from frame with URL http://www.example.com/main.html. Domains, protocols and ports must match.

When I remove the inject portion of the code, I don't get the error. Also, when I use inject on other non-flash elements, such as a div, I don't get the error. I have also tried using the plain ol' appendChild javascript method only to get the same error.

Any idea as to why I would I get this error on a flash object only? And is there a way to add this flash element without getting this error?

解决方案

@MishcaNix and @serg are right.

Any cross-domain call to a resource that isn't JSONP will raise this security error. You'll need to either find a way to inject the SWF content into a page on the same domain as the swf file, or take the SWF (if it's static) and make it a data URL (data:application/x-swf;base64, or somesuch). – MischaNix

Whenever a flash object is embedded in a cross-domain iframe, it will throw a cross-domain exception. This is true for Youtube and Vimeo.

For example, check out this jsfiddle with an iFrame embedded: http://jsfiddle.net/bkCdB/

<object width="420" height="315"><param name="movie" value="http://www.youtube.com/v/6V_DsL1x1uY?version=3&amp;hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/6V_DsL1x1uY?version=3&amp;hl=en_US" type="application/x-shockwave-flash" width="420" height="315" allowscriptaccess="always" allowfullscreen="true"></embed></object>

这篇关于Chrome扩展程序中iframe的不安全Javascript访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！