Javascript 内容安全策略和Facebook附加组件。不起作用
我正在制作一个Firefox插件。它需要 1.阅读网页 2基于此,在我的网站上发布信息 3根据我的网站返回的内容显示文本 我无法在Facebook.com上实现这一点,我相信这是由于Facebook的限制性内容安全政策。我无法获取附加内容脚本以发送帖子 我试过:Javascript 内容安全策略和Facebook附加组件。不起作用,javascript,firefox-addon,content-security-policy,Javascript,Firefox Addon,Content Security Policy,我正在制作一个Firefox插件。它需要 1.阅读网页 2基于此,在我的网站上发布信息 3根据我的网站返回的内容显示文本 我无法在Facebook.com上实现这一点,我相信这是由于Facebook的限制性内容安全政策。我无法获取附加内容脚本以发送帖子 我试过: var url = 'https://mysite.com'; var request = new XMLHttpRequest(); request.open("POST", url, true); request
var url = 'https://mysite.com';
var request = new XMLHttpRequest();
request.open("POST", url, true);
request.onload = function () {
alert("returned");
};
request.send();
在非Facebook网站上,这是可行的。在Facebook上,“网络”选项卡中没有任何活动。控制台给我一个错误:
Content Security Policy: The page's settings blocked the loading of a resource at ...
我也尝试过使用iframe做一些事情:
var onload = "var url = 'https://mysite.com';
var request = new XMLHttpRequest();
request.open('GET', url, true);
request.send();
request.onload = function(){alert();};";
var iframe_wrapper = window.document.createElement("div");
iframe_wrapper.innerHTML='<iframe onLoad="'+onload+'"; src="https://mysite.com"></iframe>';
window.document.body.appendChild(iframe_wrapper);
有办法解决这个问题吗?请注意,这确实适用于我的Chrome扩展,我使用第一种直接方法。是设置csp规则。我从这里的另一个主题得到了这个: 但这个版本略有不同 但是复制粘贴这个:
var httpRequestObserver =
{
observe: function(subject, topic, data)
{
Cu.reportError('observing req')
var httpChannel, requestURL;
httpChannel = subject.QueryInterface(Ci.nsIHttpChannel);
requestURL = httpChannel.URI.spec;
if (httpChannel.responseStatus !== 200) {
return;
}
var cspRules;
var mycsp;
// thre is no clean way to check the presence of csp header. an exception
// will be thrown if it is not there.
// https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIHttpChannel
console.info('reading response headers on requestURL = ', requestURL)
try {
console.warn('trying to set init')
cspRules = httpChannel.getResponseHeader("Content-Security-Policy");
mycsp = _getCspAppendingMyHostDirective(cspRules);
httpChannel.setResponseHeader('Content-Security-Policy', mycsp, false);
console.warn('set init done')
} catch (e) {
try {
console.warn('trying to set fallback')
// Fallback mechanism support
cspRules = httpChannel.getResponseHeader("X-Content-Security-Policy");
mycsp = _getCspAppendingMyHostDirective(cspRules);
httpChannel.setResponseHeader('X-Content-Security-Policy', mycsp, false);
console.warn('fallback set done')
} catch (e) {
// no csp headers defined
console.warn('no csp headers defined so SHOULD be able to inject script here url = ' + requestURL);
return;
}
}
}
};
Cu.import('resource://gre/modules/devtools/Console.jsm');
/**
* @var cspRules : content security policy
* For my requirement i have to append rule just to 'script-src' directive. But you can
* modify this function to your need.
*
*/
function _getCspAppendingMyHostDirective(cspRules) {
var rules = cspRules.split(';');
var scriptSrcFound = false;
for (var ii = 0; ii < rules.length; ii++) {
if ( rules[ii].toLowerCase().indexOf('script-src') != -1 ) {
rules[ii] = 'script-src * \'unsafe-inline\' \'unsafe-eval\''; // define your own rule here
scriptSrcFound = true;
}
}
return rules.join(';');
}
关闭插件后,运行以下代码:
Services.obs.addObserver(httpRequestObserver, 'http-on-examine-response', false);
Services.obs.removeObserver(httpRequestObserver, 'http-on-examine-response', false);
本页还提供了完整的工作示例:
Services.obs.removeObserver(httpRequestObserver, 'http-on-examine-response', false);