在页面顶部注入JavaScript \反iframe-buster [英] Inject javascript at the very top of the page \ Anti iframe-buster
问题描述
我正在开发一个扩展,有时会在iframe中显示一些网站。我已经绕过了X-FRAME-OPTIONS的问题,但现在我坚持使用简单的 iframe封阻代码,例如:
if(top!= self){
document.getElementsByTagName(html)[0] .style.display =none;
top.location.replace(location);
}
我试图在页面顶部注入javascript以覆盖window.top对象,但是在 document_start 已经太迟了,无法注入它,即 alert()永远不会被调用
chrome.webRequest.onCompleted.addListener(function(details){
if(isEnabled ){
chrome.tabs.executeScript(details.tabId,{frameId:details.frameId,runAt:document_start,code:alert('asas');});
}
$ b类型:[sub_frame],
url:[< all_urls>]
});
有没有解决方法?
谢谢
问题可能是由 chrome.webRequest.onCompleted.addListener 侦听器是异步的
$ b document_start DOM被创建,所以这不是问题的原因。我已经验证了这一点,并尝试回答这个问题。
这里的问题是 chrome.webRequest.onCompleted.addListener 是异步的,这意味着当回调(并且因此您的 chrome.tabs.executeScript )被执行,浏览器已经开始构建DOM。
您可以直接在 manifest.json 中使用content_scripts而不是将脚本注入所有相关的iframe使用程序化注入。我还没有验证过这一点,但是也可以尝试从。您可能已经在监听 chrome.webRequest.onHeadersReceived 侦听器注入脚本,使用blocking 选项,它允许您同步处理请求 onHeadersReceived ,以便移除 X-Frame-Options 标头。
编辑:
阻止 onHeadersReceived 侦听器中的编程注入是不可能的。 Chrome会返回一个关于权限不足的错误 - 可能是因为URL尚不知道(标头可能导致重定向)。
I'm developing an extension that, sometimes, will show some websites inside iframes. I've already bypassed the X-FRAME-OPTIONS issue but now I'm stuck with the simple iframe buster code, eg.:
if (top != self) {
document.getElementsByTagName("html")[0].style.display = "none";
top.location.replace(location);
}
I'm trying to inject javascript at the very top of the page to override the window.top object, but at document_start is already too late to inject it, ie alert() is never called before the buster script runs:
chrome.webRequest.onCompleted.addListener(function(details) {
if (isEnabled) {
chrome.tabs.executeScript(details.tabId, {frameId: details.frameId, runAt: "document_start", code: "alert('asas');"});
}
}, {
types: ["sub_frame"],
urls: ["<all_urls>"]
});
Is there any way around this?
Thank you
The problem is probably caused by chrome.webRequest.onCompleted.addListener listener being asynchronous
document_start injects code before any DOM is created, so that is not the cause of your problem. I have verified this while playing around and trying to answer this question.
The problem here is that chrome.webRequest.onCompleted.addListener is asynchronous, which means that when the callback (and therefor your chrome.tabs.executeScript) is executed, the browser has already started constructing the DOM.
You can start by injecting the script to all relevant iframes directly using the "content_scripts" in manifest.json instead of using programmatic injection. I haven't verified this, but you could also try injecting the script from a . You are probably already listening to chrome.webRequest.onHeadersReceived listener with the "blocking" option, which allows you to handle the request synchronouslyonHeadersReceived in order to remove the X-Frame-Options header anyway.
Edit:
Programmatic injection in a blocking onHeadersReceived listener is not possible. Chrome returns an error about lack of permissions - probably because the URL is not known at this point yet (the headers could cause a redirect).
这篇关于在页面顶部注入JavaScript \反iframe-buster的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
