firefox-addon - 如何将内容安全策略添加到 Firefox 扩展

标签 firefox-addon

我有一个插件,必须在 Chrome 和 Firefox 浏览器上都支持。该插件可以跨脚本加载。

在 Chrome 中,通过在我的 manifest.json 文件中添加内容安全策略,我可以摆脱它。我该如何做 Firefox 扩展?

最佳答案

我找不到解决我的问题的简单解决方案,在查找一些 Firefox 插件扩展后,我不得不提出自己的解决方案,如下所示。以下解决方案在 FF 24.0 上进行了测试,但也应该适用于其他版本。 

Cc["@mozilla.org/observer-service;1"].getService(Ci.nsIObserverService)
    .addObserver(_httpExamineCallback, "http-on-examine-response", false);

function _httpExamineCallback(aSubject, aTopic, aData) {
    var httpChannel = aSubject.QueryInterface(Ci.nsIHttpChannel);

    if (httpChannel.responseStatus !== 200) {
        return;
    }

    var cspRules;
    var mycsp;
    // thre is no clean way to check the presence of csp header. an exception
    // will be thrown if it is not there.
    // https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIHttpChannel
    try {    
        cspRules = httpChannel.getResponseHeader("Content-Security-Policy");
        mycsp = _getCspAppendingMyHostDirective(cspRules);
        httpChannel.setResponseHeader('Content-Security-Policy', mycsp, false);
    } catch (e) {
        try {
            // Fallback mechanism support             
            cspRules = httpChannel.getResponseHeader("X-Content-Security-Policy");
            mycsp = _getCspAppendingMyHostDirective(cspRules);    
            httpChannel.setResponseHeader('X-Content-Security-Policy', mycsp, false);            
        } catch (e) {
            // no csp headers defined
            return;
        }
    }

};

/**
 * @var cspRules : content security policy 
 * For my requirement i have to append rule just to 'script-src' directive. But you can
 * modify this function to your need.
 *
 */
function _getCspAppendingMyHostDirective(cspRules) {
  var rules = cspRules.split(';'),
    scriptSrcDefined = false,
    defaultSrcIndex = -1;

  for (var ii = 0; ii < rules.length; ii++) {
    if ( rules[ii].toLowerCase().indexOf('script-src') != -1 ) {
        rules[ii] = rules[ii] + ' <My CSP Rule gets appended here>';
        scriptSrcDefined = true;
    }

    if (rules[ii].toLowerCase().indexOf('default-src') != -1) {
        defaultSrcIndex = ii;
    }
}

  // few publishers will put every thing in the default (default-src) directive,
  // without defining script-src. We need to modify those as well.
  if ((!scriptSrcDefined) && (defaultSrcIndex != -1)) {
    rules[defaultSrcIndex] = rules[defaultSrcIndex] + ' <My CSP rule gets appended here>';
  }

  return rules.join(';');
};

关于firefox-addon - 如何将内容安全策略添加到 Firefox 扩展,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/19264831/

上一篇:.htaccess 301 重定向将旧网址传递到新网址

下一篇:c - 从最后一次出现的字符开始缩短 C 字符串?

相关文章:

character-encoding - 如何使用firefox插件API解码未以UTF8编码的URL?

javascript - Firefox 扩展 : run when page loaded

javascript - 修复 "gBrowser.addProgressListener was called with a second argument, which is not supported"警告

javascript - FireFox 插件/javascript setTimeout 问题

java - 为什么 nsIScriptableInputStream 不工作?

javascript - 在 Firefox 中本地存储 XML 文件

javascript - firefox 扩展加载 javascript 文件

javascript - 在 window.open() 上运行 Firefox 扩展

javascript - 在 js-ctypes mozilla 附加 sdk 中使用 dll - 查看程序的 STDOUT?

javascript - 火狐插件: get document from a tab

©2024 IT工具网  联系我们