将内容安全策略中的多个域列入白名单 [英] Whitelist multiple domains in content security policy
问题描述
我正在撰写一个chrome扩展程序,其内容安全策略的白名单中需要有两个域。我看了官方文档,但我仍然无法弄清楚正确的语法。
以下内容似乎不起作用:
content_security_policy:script-src'self'https://foo.com https://example.com; object-src' self'
编辑:
我的内容脚本和我的弹出窗口都能够访问foo.com,但是无法访问example.com。
Chrome扩展程序能够在CSP中有多个来源列入白名单?
从我对CSP的了解来看,这看起来在语法上是正确的。 CSP上的HTML5 Rocks文章与您的语法一致, :
script-src https://host1.com https://host2.com重定向到
然而,您的问题可能在于:
此CSP 不允许所有子域,包括
www.foo.com和www.example.com。您可以显式添加这些子域名主机名,或者您可以使用https://*.foo.com来允许所有子域名。
如果您的任何脚本请求重定向到未经允许的域,则请求将失败。例如,如果
https://example.com/foo.js以301或<$ c $响应c> 302https://notpermitted.com/foo.js(不允许出处)或https ://www.example.com/foo.js(未经允许的子域),请求将失败根据规范:
无论用户代理何时获取URI(包括重定向后的),如果URI与所允许的脚本源不匹配,用户代理必须如同它收到一个空的HTTP 400响应...
编辑: b
只需确认,Chrome扩展程序就可以将多个HTTPS来源列入白名单。您可以构建一个简单的扩展来测试它:
manifest.json
<$ p
name:CSP Test,
version:1.0,
manifest_version:2,
browser_action:{
default_popup:csp_test.html
},
content_security_policy:script-src'self'https://www.iana.org https:/ /ajax.googleapis.com; object-src'self'
}
csp_test.html
< script src =https://www.iana.org/_js/ 2013.1 /的jquery.js>< /脚本>
< script src =https://ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js>< / script>
< script src =csp_test.js>< / script>
csp_test.js
alert(jQuery)
alert(jQuery.ui)
该扩展从远程域加载jQuery和jQuery UI。如果您从CSP中删除任何来源,您会看到
未定义警报,表示其中一个库无法加载。I am writting a chrome extension that needs to have two domains in its whitelist for the content security policy. I've looked at the official docs, but I still can't seem to figure out the proper syntax.
The following does not seem to work:
"content_security_policy": "script-src 'self' https://foo.com https://example.com; object-src 'self'"EDIT:
Both my content script and my popup are able to reach foo.com, however, neither can reach example.com.
Are chrome extensions capable of having multiple sources whitelisted in the CSP?
解决方案From what I know about CSPs, this looks syntactically correct. The HTML5 Rocks article on CSP agrees with your syntax, saying:
script-src https://host1.com https://host2.comwould correctly specify both origins as valid.However, your problem may be that either:
This CSP disallows all subdomains, including
www.foo.comandwww.example.com. You can add those subdomain hostnames explicitly, or you can usehttps://*.foo.comto allow all subdomains.If any of your script requests redirect to a non-permitted domain, the request will fail. For example, if
https://example.com/foo.jsresponds with a301or302redirect tohttps://notpermitted.com/foo.js(not-permitted origin) orhttps://www.example.com/foo.js(non-permitted subdomain), the request will fail according to the spec:Whenever the user agent fetches a URI (including when following redirects)... if the URI does not match the allowed script sources, the user agent must act as if it had received an empty HTTP 400 response...
EDIT:
Just to confirm, yes, Chrome extensions can whitelist multiple HTTPS origins. You can build a simple extension to test this:
manifest.json
{ "name":"CSP Test", "version":"1.0", "manifest_version":2, "browser_action":{ "default_popup":"csp_test.html" }, "content_security_policy": "script-src 'self' https://www.iana.org https://ajax.googleapis.com; object-src 'self'" }csp_test.html
<script src="https://www.iana.org/_js/2013.1/jquery.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script> <script src="csp_test.js"></script>csp_test.js
alert(jQuery) alert(jQuery.ui)This extension loads jQuery and jQuery UI from remote domains. If you remove either origin from the CSP, you will see an "
undefined" alert signifying that one of the libraries failed to load.这篇关于将内容安全策略中的多个域列入白名单的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
