问题
Gmail just updated its Content Security Policy: http://googleonlinesecurity.blogspot.com/2014/12/reject-unexpected-content-security.html
This is throwing an error for my Chrome extension, which augments gmail. To be clear, my content script is loading another script that is hosted on my server. This allows for rapid deployment.
Refused to load the script 'https://<domain-path>.js?' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://talkgadget.google.com/ https://www.googleapis.com/appsmarket/v2/installedApps/ https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/js/ https://www.google.com/tools/feedback/ https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://ssl.google-analytics.com/ https://apis.google.com/_/scs/abc-static/ https://apis.google.com/js/ https://clients1.google.com/complete/ https://apis.google.com/_/scs/apps-static/_/js/ https://ssl.gstatic.com/inputtools/js/ https://ssl.gstatic.com/cloudsearch/static/o/js/ https://www.gstatic.com/feedback/js/ https://www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/".
This is how I load the hosted script from content script:
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = 'https://<domain-path>.js';
(document.body || document.head || document.documentElement).appendChild(script);
Any thoughts?
回答1:
You should not insert external scripts in Gmail, because it slows down the page load time and makes it harder for others to audit your extension. And you should certainly not use the webRequest API to remove the Content-Security-Policy header, because this reduces the security of Gmail.
If you really want to fetch and execute the latest version of your code in the page's context, use XMLHttpRequest to load the script, then insert a <script> tag with this code:
// NOTE: Inserting external scripts should be avoided if possible!
// Do not use this method if your extension can completely function
// without external scripts!
// Even if you have to load an external script, make sure that it is loaded over
// https:, NEVER over http: ! If you insert scripts from http:-URLs, your users'
// security can be compromised by MITM attacks.
var x = new XMLHttpRequest();
x.open('GET', 'https://example.com/script.js');
x.onload = function() {
var s = document.createElement('script');
s.textContent = x.responseText;
(document.head || document.documentElement).appendChild(s);
};
x.onerror = function() {
// Failed to load. Fallback to loading an (old version of your) script
// that is bundled with your extension. It must be listed in the
// "web_accessible_resources" section in your manifest file.
var s = document.createElement('script');
s.src = chrome.runtime.getURL('script.js');
(document.head || document.documentElement).appendChild(s);
};
x.send();
This method does not require the 'unsafe-inline' directive, because inline scripts injected by extensions bypass the content security policy (ref).
来源:https://stackoverflow.com/questions/27515117/gmail-content-security-policy-on-chrome-extensions