在公共页面上忽略了Chrome扩展清单CSP

Chrome extension manifest CSP ignored on public page

本文关键字:Chrome 扩展 CSP      更新时间:2023-09-26

我已经将扩展的CSP设置为允许从localhost加载(理论上):

"content_security_policy": "script-src 'self' 'unsafe-eval' https://localhost:* ws://localhost:* https://*.mysite.com; object-src 'self'",

我有一个web_accessible_resource,它试图加载并执行远程脚本:

<html>
  <head>
    <title>Sign in</title>
  </head>
  <body>
    <script src="./auth.js"></script>
  </body>
</html>

auth.js:的(简化)内容

(function(doc, script) {
  script = doc.createElement('script')
  script.type = 'text/javascript'
  script.async = true
  script.src = 'https://localhost:3333/remote-server/auth.js'
  doc.getElementsByTagName('head')[0].appendChild(script)
}(document))

然而,我得到了以下错误:

Refused to load the script 'https://localhost:3333/remote-server/auth.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'".

这似乎不尊重扩展的CSP。我试着直接将下面的标题添加到HTML中,但仍然没有什么乐趣。

<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-eval' https://localhost:* ws://localhost:* https://*.mysite.com">

是否有其他地方需要我指示CSP?

更新

更改资源的HTML以直接加载远程脚本也没有解决问题:

<html>
  <head>
    <title>Sign in</title>
    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://localhost:* ws://localhost:* https://*.mysite.com">
  </head>
  <body>
    <script src="https://localhost:3333/remote-server/auth.js"></script>
  </body>
</html>

仍会导致:

Refused to load the script 'https://localhost:3333/remote-server/auth.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'".

它仍然没有参考<meta>标签的内容

更新2

页面通过加载

chrome.windows.create({
  url: 'chrome-extension://my-extension/auth.html',
  type: 'popup',
  height: 680,
  width: 500
}, (windw) => console.log(windw))

HTTP头将优先,如果您有这些,元标记将被忽略。

问题是,谷歌chrome符合主要的网页标题。并且这些将优先,你必须为你试图加载脚本的页面禁用CSP。

相关文章: