Chrome扩展程序中的Gmail内容安全政策 [英] Gmail Content Security Policy on Chrome extensions
问题描述
Gmail刚刚更新了其内容安全政策: http:// googleonlinesecurity.blogspot.com/2014/12/reject-unexpected-content-security.html
这给我的Chrome扩展程序带来了一个错误,它扩充了Gmail中。要清楚,我的内容脚本正在加载托管在我的服务器上的另一个脚本。这允许快速部署。
拒绝加载脚本'https://< domain-path> .js?'因为它违反了以下内容安全策略指令:script-src'self''unsafe-inline''unsafe-eval'https://talkgadget.google.com/ https://www.googleapis.com/appsmarket/v2 / installedApps / https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/js/ https://www.google.com/tools / feedback / https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://ssl.google-analytics.com/ https://apis.google.com/ _ / scs / abc-static / https://apis.google.com/js/ https://clients1.google.com/complete/ https://apis.google.com/_/scs/apps-static/ _ / js / https://ssl.gstatic.com/inputtools/js/ https://ssl.gstatic.com/cloudsearch/static/o/js/ https://www.gstatic.com/feedback/js/ https://www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/。
这是我从内容脚本加载托管脚本的方式:
var script = document.createElement('script');
script.type ='text / javascript';
script.src ='https://< domain-path> .js';
(document.body || document.head || document.documentElement).appendChild(script);
有什么想法?
您不应该在Gmail中插入外部脚本,因为它会减慢页面加载时间,并使其他人更难审核您的扩展。你当然应该 not 使用webRequest API去除 Content-Security-Policy 标头,因为这会降低Gmail的安全性。
如果您真的想在页面的上下文中获取并执行最新版本的代码,请使用 XMLHttpRequest 加载脚本,然后插入一个< script> 标签: > //注意:尽可能避免插入外部脚本!
//如果您的扩展程序完全可以在不带外部脚本的情况下运行
,则不要使用此方法!
//即使您必须加载外部脚本,请确保将其加载到
// https:上,而不是通过http:!如果您从http:-URLs插入脚本,您的用户的
//安全性可能会受到MITM攻击的危害。
var x = new XMLHttpRequest();
x.open('GET','https://example.com/script.js');
x.onload = function(){
var s = document.createElement('script');
s.textContent = x.responseText;
(document.head || document.documentElement).appendChild(s);
};
x.onerror = function(){
//加载失败。回退到加载与您的扩展程序捆绑在一起的(旧版本)脚本
//。它必须列在清单文件中的
//web_accessible_resources部分。
var s = document.createElement('script');
s.src = chrome.runtime.getURL('script.js');
(document.head || document.documentElement).appendChild(s);
};
x.send();
这个方法不需要'unsafe-inline'指令,因为扩展插入的内联脚本绕过了内容安全策略( ref )。
Gmail just updated its Content Security Policy: http://googleonlinesecurity.blogspot.com/2014/12/reject-unexpected-content-security.html
This is throwing an error for my Chrome extension, which augments gmail. To be clear, my content script is loading another script that is hosted on my server. This allows for rapid deployment.
Refused to load the script 'https://<domain-path>.js?' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://talkgadget.google.com/ https://www.googleapis.com/appsmarket/v2/installedApps/ https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/js/ https://www.google.com/tools/feedback/ https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://ssl.google-analytics.com/ https://apis.google.com/_/scs/abc-static/ https://apis.google.com/js/ https://clients1.google.com/complete/ https://apis.google.com/_/scs/apps-static/_/js/ https://ssl.gstatic.com/inputtools/js/ https://ssl.gstatic.com/cloudsearch/static/o/js/ https://www.gstatic.com/feedback/js/ https://www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/".
This is how I load the hosted script from content script:
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = 'https://<domain-path>.js';
(document.body || document.head || document.documentElement).appendChild(script);
Any thoughts?
You should not insert external scripts in Gmail, because it slows down the page load time and makes it harder for others to audit your extension. And you should certainly not use the webRequest API to remove the Content-Security-Policy header, because this reduces the security of Gmail.
If you really want to fetch and execute the latest version of your code in the page's context, use XMLHttpRequest to load the script, then insert a <script> tag with this code:
// NOTE: Inserting external scripts should be avoided if possible!
// Do not use this method if your extension can completely function
// without external scripts!
// Even if you have to load an external script, make sure that it is loaded over
// https:, NEVER over http: ! If you insert scripts from http:-URLs, your users'
// security can be compromised by MITM attacks.
var x = new XMLHttpRequest();
x.open('GET', 'https://example.com/script.js');
x.onload = function() {
var s = document.createElement('script');
s.textContent = x.responseText;
(document.head || document.documentElement).appendChild(s);
};
x.onerror = function() {
// Failed to load. Fallback to loading an (old version of your) script
// that is bundled with your extension. It must be listed in the
// "web_accessible_resources" section in your manifest file.
var s = document.createElement('script');
s.src = chrome.runtime.getURL('script.js');
(document.head || document.documentElement).appendChild(s);
};
x.send();
This method does not require the 'unsafe-inline' directive, because inline scripts injected by extensions bypass the content security policy (ref).
这篇关于Chrome扩展程序中的Gmail内容安全政策的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
