我正在尝试运行以下命令:
chrome.tabs.onCreated.addListener(function (tab){
if (tab.url.indexOf(".salesforce.com/") != -1 || tab.url.indexOf(".force.com/") != -1) {
chrome.tabs.executeScript(tab.id, {
"file": "loadScript.js"
}, function () {
console.log("Script Executed .. ");
});
} else {
var wrongTab = chrome.i18n.getMessage("wrongTab");
console.log(wrongTab);
alert(wrongTab);
}
});
(理论上)应该在页面加载时运行 loadScript.js 文件...loadScript.js 文件如下,这应该将文件附加到正在运行的页面,而不是像在后台页面一样瞬间:
/* Create a scriipt element in head of HTML and put /soap/ajax/31.0/connection.js in the src */
var connectJsUrl = "/connection.js";
function loadScript(url, callback) {
var head = document.getElementsByTagName("head")[0];
var script = document.createElement("script");
script.src = url;
var done = false;
script.onload = script.onreadystatechange = function() {
if (!done && (!this.readyState || this.readyState == "loaded" || this.readyState == "complete")) {
done = true;
callback();
script.onload = script.onreadystatechange = null;
head.removeChild(script);
}
};
head.appendChild(script);
}
loadScript(connectJsUrl, function() {
console.log("Script Confirmed...")
});
/* Check to see if the file have been appended correctly and works correctly */
var JSFile = "chrome-extension://" + window.location.host + connectJsUrl;
var req = (window.XMLHttpRequest) ? new XMLHttpRequest() : new ActiveXObject("Microsoft.XMLHTTP");
if (req == null) {
console.log("Error: XMLHttpRequest failed to initiate.");
};
req.onload = function() {
try {
eval(req.responseText);
} catch (e) {
console.log("There was an error in the script file.");
}
};
try {
req.open("GET", JSFile, true);
req.send(null);
} catch (e) {
console.log("Error retrieving data httpReq. Some browsers only accept cross-domain request with HTTP.");
};
我仍然是 Chrome 扩展和 .js 的新手,所以如果我犯了一个愚蠢的错误,请原谅:)
我从中得到的信息如下: 拒绝将字符串评估为 JavaScript,因为“unsafe-eval”不是以下内容安全策略指令中允许的脚本源:“script-src 'self' chrome-extension-resource:”。
为了防止跨站脚本,Google 屏蔽了 eval 函数。
要解决此问题,请将此代码添加到 manifest.json
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",
如果需要进一步解释请评论
重要
如前所述,将其添加到您的manifest.json中:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
确保将“manifest_version”设置为 2 又名
//this
"manifest_version": 2
出于某些安全原因,适用于 manifest_version 3 的 Chrome 扩展不支持不安全的评估。
还要确保重新加载您的扩展。
您无法在清单 v3 中运行不安全 eval 的代码,如果您使用 webpack 或 vite 等任何捆绑程序,您可以更改代码以不使用 eval 或检查包包是否包含任何 eval ,以下是您要使用的语法列表不应该在
manifest 3
中使用
使用 unsafe-eval 添加 content_security_policy 是不安全的,因为网站可能容易出现
XSS attack
但是如果您偶然使用任何 wasm 代码,那么下面的配置将避免对
manifest 3
进行评估
"content_security_policy": {
"extension_page":"script-src 'self' 'wasm-unsafe-eval'; object-src 'self'"
}
如果您使用任何 iframe,也请添加以下代码
"content_security_policy": {
"extension_page":"script-src 'self' 'wasm-unsafe-eval'; object-src 'self'",
"sandbox":"script-src 'self' 'wasm-unsafe-eval'; object-src 'self'"
}
经过实验,我发现运行托管 html 文件(正在运行您的 eval)的 Web 服务器仍然可以工作。 然后,将结果发送到父窗口即可完成。
客户:
var elm = document.createElement('iframe');
elm.src = 'http://localhost:3000'; // I used a basic expressJS server
document.body.appendChild(elm);
服务器:
const express = require('express');
const socketIO = require('socket.io'); // Optional
const http = require('http');
const path = require('path');
const app = express();
let server = http.createServer(app);
let io = socketIO(server);
const publicPath = path.resolve(__dirname, '../public');
const port = process.env.PORT || 3000;
app.use(express.static(publicPath));
io.on('connection', (client) => {
console.log('User connected');
});
server.listen(port, (err) => {
if (err) throw new Error(err);
console.log(`Server running on port ${port}`);
});
index.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Test</title>
</head>
<body>
<script>
eval(alert('test'))
</script>
<!-- Other html.. -->
</body>
</html>
您使用清单 v3 构建扩展。 目标网站具有响应的 CSP 标头,可保护您的扩展程序运行脚本。
假设您想在页面上下文中运行一些“不安全”的脚本
script.js
:
const foo = new Function('console.log("FOO");');
foo();
chrome.tabs.query({ active: true, currentWindow: true }, (tabs) => {
chrome.scripting.executeScript({
target: { tabId: tabs[0] },
files: ['script.js'],
});
});
chrome.scripting.registerContentScripts([
{
id: 'script-id',
matches: ['<all_urls>'],
runAt: 'document_start',
js: ['script.js'],
allFrames: true,
}
]);
manifest.json
立即运行此脚本:{
"content_scripts": [
{
"matches": ["<all_urls>"],
"run_at": "document_start",
"js": ["script.js"],
"all_frames": true
}
]
}
对于所有 3 种情况,您将得到:
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' http://localhost:* http://127.0.0.1:*".
WORKING解决方案是通过内容注入脚本。
manifest.json
:{
"content_scripts": [
{
"matches": ["<all_urls>"],
"run_at": "document_start",
"js": ["content.js"],
"all_frames": true
}
],
"web_accessible_resources": [
{
"matches": ["<all_urls>"],
"resources": ["script.js"]
}
]
}
script.js
注入 content.js
: const scriptSrc = chrome.runtime.getURL('script.js');
const scriptTop = document.createElement('script');
scriptTop.src = scriptSrc;
documentRoot.appendChild(scriptTop);