在页面顶部注入JavaScript \反iframe-buster [英] Inject javascript at the very top of the page \ Anti iframe-buster
问题描述
我正在开发一个扩展,有时会在iframe中显示一些网站。我已经绕过了X-FRAME-OPTIONS的问题,但现在我坚持使用简单的 iframe封阻代码,例如:
if(top!= self){
document.getElementsByTagName(html)[0] .style.display =none;
top.location.replace(location);
}
我试图在页面顶部注入javascript以覆盖window.top对象,但是在 document_start
已经太迟了,无法注入它,即 alert()
永远不会被调用
chrome.webRequest.onCompleted.addListener(function(details){
if(isEnabled ){
chrome.tabs.executeScript(details.tabId,{frameId:details.frameId,runAt:document_start,code:alert('asas');});
}
$ b类型:[sub_frame],
url:[< all_urls>]
});
有没有解决方法?
谢谢
问题可能是由 chrome.webRequest.onCompleted.addListener
侦听器是异步的
$ b document_start
DOM被创建,所以这不是问题的原因。我已经验证了这一点,并尝试回答这个问题。
这里的问题是 chrome.webRequest.onCompleted.addListener
是异步的,这意味着当回调(并且因此您的 chrome.tabs.executeScript
)被执行,浏览器已经开始构建DOM。
您可以直接在 manifest.json
中使用content_scripts
而不是将脚本注入所有相关的iframe使用程序化注入。我还没有验证过这一点,但是也可以尝试从。您可能已经在监听 chrome.webRequest.onHeadersReceived
侦听器注入脚本,使用blocking
选项,它允许您同步处理请求 onHeadersReceived
,以便移除 X-Frame-Options
标头。
编辑:
阻止 onHeadersReceived
侦听器中的编程注入是不可能的。 Chrome会返回一个关于权限不足的错误 - 可能是因为URL尚不知道(标头可能导致重定向)。
I'm developing an extension that, sometimes, will show some websites inside iframes. I've already bypassed the X-FRAME-OPTIONS issue but now I'm stuck with the simple iframe buster code, eg.:
if (top != self) {
document.getElementsByTagName("html")[0].style.display = "none";
top.location.replace(location);
}
I'm trying to inject javascript at the very top of the page to override the window.top object, but at document_start
is already too late to inject it, ie alert()
is never called before the buster script runs:
chrome.webRequest.onCompleted.addListener(function(details) {
if (isEnabled) {
chrome.tabs.executeScript(details.tabId, {frameId: details.frameId, runAt: "document_start", code: "alert('asas');"});
}
}, {
types: ["sub_frame"],
urls: ["<all_urls>"]
});
Is there any way around this?
Thank you
The problem is probably caused by chrome.webRequest.onCompleted.addListener
listener being asynchronous
document_start
injects code before any DOM is created, so that is not the cause of your problem. I have verified this while playing around and trying to answer this question.
The problem here is that chrome.webRequest.onCompleted.addListener
is asynchronous, which means that when the callback (and therefor your chrome.tabs.executeScript
) is executed, the browser has already started constructing the DOM.
You can start by injecting the script to all relevant iframes directly using the "content_scripts"
in manifest.json
instead of using programmatic injection. I haven't verified this, but you could also try injecting the script from a . You are probably already listening to chrome.webRequest.onHeadersReceived
listener with the "blocking"
option, which allows you to handle the request synchronouslyonHeadersReceived
in order to remove the X-Frame-Options
header anyway.
Edit:
Programmatic injection in a blocking onHeadersReceived
listener is not possible. Chrome returns an error about lack of permissions - probably because the URL is not known at this point yet (the headers could cause a redirect).
这篇关于在页面顶部注入JavaScript \反iframe-buster的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!