在页面顶部注入JavaScript \反iframe-buster [英] Inject javascript at the very top of the page \ Anti iframe-buster

查看:143
本文介绍了在页面顶部注入JavaScript \反iframe-buster的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在开发一个扩展,有时会在iframe中显示一些网站。我已经绕过了X-FRAME-OPTIONS的问题,但现在我坚持使用简单的 iframe封阻代码,例如:

  if(top!= self){
document.getElementsByTagName(html)[0] .style.display =none;
top.location.replace(location);
}

我试图在页面顶部注入javascript以覆盖window.top对象,但是在 document_start 已经太迟了,无法注入它,即 alert()永远不会被调用

  chrome.webRequest.onCompleted.addListener(function(details){
if(isEnabled ){
chrome.tabs.executeScript(details.tabId,{frameId:details.frameId,runAt:document_start,code:alert('asas');});
}
$ b类型:[sub_frame],
url:[< all_urls>]
});

有没有解决方法?

谢谢

解决方案

问题可能是由 chrome.webRequest.onCompleted.addListener 侦听器是异步的
$ b document_start DOM被创建,所以这不是问题的原因。我已经验证了这一点,并尝试回答这个问题

这里的问题是 chrome.webRequest.onCompleted.addListener 是异步的,这意味着当回调(并且因此您的 chrome.tabs.executeScript )被执行,浏览器已经开始构建DOM。



您可以直接在 manifest.json 中使用content_scripts而不是将脚本注入所有相关的iframe使用程序化注入。我还没有验证过这一点,但是也可以尝试从 chrome.webRequest.onHeadersReceived 侦听器注入脚本,使用blocking 选项,它允许您同步处理请求。您可能已经在监听 onHeadersReceived ,以便移除 X-Frame-Options 标头。






编辑:

阻止 onHeadersReceived 侦听器中的编程注入是不可能的。 Chrome会返回一个关于权限不足的错误 - 可能是因为URL尚不知道(标头可能导致重定向)。

I'm developing an extension that, sometimes, will show some websites inside iframes. I've already bypassed the X-FRAME-OPTIONS issue but now I'm stuck with the simple iframe buster code, eg.:

if (top != self) {
   document.getElementsByTagName("html")[0].style.display = "none";
   top.location.replace(location);
}

I'm trying to inject javascript at the very top of the page to override the window.top object, but at document_start is already too late to inject it, ie alert() is never called before the buster script runs:

chrome.webRequest.onCompleted.addListener(function(details) {
    if (isEnabled) {
        chrome.tabs.executeScript(details.tabId, {frameId: details.frameId, runAt: "document_start", code: "alert('asas');"});
    }
}, {
    types: ["sub_frame"],
    urls: ["<all_urls>"]
});

Is there any way around this?

Thank you

解决方案

The problem is probably caused by chrome.webRequest.onCompleted.addListener listener being asynchronous

document_start injects code before any DOM is created, so that is not the cause of your problem. I have verified this while playing around and trying to answer this question.

The problem here is that chrome.webRequest.onCompleted.addListener is asynchronous, which means that when the callback (and therefor your chrome.tabs.executeScript) is executed, the browser has already started constructing the DOM.

You can start by injecting the script to all relevant iframes directly using the "content_scripts" in manifest.json instead of using programmatic injection. I haven't verified this, but you could also try injecting the script from a chrome.webRequest.onHeadersReceived listener with the "blocking" option, which allows you to handle the request synchronously. You are probably already listening to onHeadersReceived in order to remove the X-Frame-Options header anyway.


Edit:

Programmatic injection in a blocking onHeadersReceived listener is not possible. Chrome returns an error about lack of permissions - probably because the URL is not known at this point yet (the headers could cause a redirect).

这篇关于在页面顶部注入JavaScript \反iframe-buster的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆