Jon*_*der 5 javascript google-chrome-extension content-security-policy
我已经设置了扩展程序的CSP以允许从localhost(在理论上)加载:
"content_security_policy": "script-src 'self' 'unsafe-eval' https://localhost:* ws://localhost:* https://*.mysite.com; object-src 'self'",
我有一个web_accessible_resource尝试加载和执行远程脚本:
<html>
<head>
<title>Sign in</title>
</head>
<body>
<script src="./auth.js"></script>
</body>
</html>
(简体)内容auth.js:
(function(doc, script) {
script = doc.createElement('script')
script.type = 'text/javascript'
script.async = true
script.src = 'https://localhost:3333/remote-server/auth.js'
doc.getElementsByTagName('head')[0].appendChild(script)
}(document))
但是,我收到以下错误:
Refused to load the script 'https://localhost:3333/remote-server/auth.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'".
这似乎不尊重扩展的CSP.我已经尝试直接在HTML中添加以下标题,但仍然没有乐趣.
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-eval' https://localhost:* ws://localhost:* https://*.mysite.com">
我需要一些其他地方来表明CSP吗?
UPDATE
更改资源的HTML以直接加载远程脚本也无法解决问题:
<html>
<head>
<title>Sign in</title>
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://localhost:* ws://localhost:* https://*.mysite.com">
</head>
<body>
<script src="https://localhost:3333/remote-server/auth.js"></script>
</body>
</html>
仍然导致:
Refused to load the script 'https://localhost:3333/remote-server/auth.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'".
其中仍然没有引用<meta>标签的内容
更新2
页面通过加载
chrome.windows.create({
url: 'chrome-extension://my-extension/auth.html',
type: 'popup',
height: 680,
width: 500
}, (windw) => console.log(windw))
| 归档时间: |
|
| 查看次数: |
531 次 |
| 最近记录: |