我正在使用清单 V3 编写一个 chrome 扩展供我自己使用,以便更轻松地在两个站点之间移植信息。当我尝试使用 click() 事件从扩展内容脚本中单击网站网页的元素时,出现 CSP 错误。外部网站“https://travel.*.com/TravelNet/nonRevenueSearch.action?search=getflights&travelWarningPresent=null”似乎没有 CSP,所以我相信我的扩展程序的 CSP 是罪魁祸首。我收到的 CSP 错误是:
拒绝运行 JavaScript URL,因为它违反了以下内容安全策略指令:“script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' http://localhost:* http:// 127.0.0.1:\*"。启用内联执行需要“unsafe-inline”关键字、哈希值(“sha256-...”)或随机数(“nonce-...”)。请注意,哈希不适用于事件处理程序、样式属性和 javascript: 导航,除非存在“unsafe-hashes”关键字。
错误是从下面的 element.click 行生成的,该行位于由“scripts/main_travelNet.js”导出并由下面清单中引用的“scripts/content_travelNet.js”导入的函数中。 querySelector 从
中进行选择 const element = document.querySelector('a[href^="javascript:showFlightLoadInPopup2("]');
element.click();
我尝试在下面的文件中正确定义 CSP,但显然我做错了:
{
"manifest_version": 3,
"name": "* Staff Traveler Helper",
"description": "Help answer Staff Traveler App requests from * Travel Net",
"version": "0.1",
"permissions": ["storage", "tabs", "activeTab", "scripting"],
"host_permissions": ["https://travel.*.com/TravelNet/*",
"https://stafftraveler.app/*"],
"minimum_chrome_version": "92",
"icons": {
"16": "images/Icons8-Windows-8-Transport-Airplane-Takeoff-16.png",
"32": "images/Icons8-Windows-8-Transport-Airplane-Takeoff-32.png",
"48": "images/Icons8-Windows-8-Transport-Airplane-Takeoff-48.png",
"128": "images/Icons8-Windows-8-Transport-Airplane-Takeoff-128.png"
},
"content_scripts": [
{
"js": ["scripts/content_staffTraveler.js"],
"matches": ["https://stafftraveler.app/*"]
},
{
"js":["scripts/content_travelNet.js"],
"matches": ["https://travel.*.com/TravelNet/*"]
}
],
"background": {
"service_worker": "scripts/background.js",
"type": "module"
},
"externally_connectable": {
"matches": [
"https://travel.*.com/TravelNet/*",
"https://stafftraveler.app/*"
]
},
"web_accessible_resources": [
{
"resources": [
"images/bookmark.png",
"images/play.png",
"images/delete.png",
"images/save.png",
"images/Widget.png",
"images/favicon.ico",
"scripts/main_travelNet.js",
"scripts/main_staffTraveler.js",
"scripts/main_travelNet.js",
"scripts/object_definitions.js",
"scripts/content_travelNet.js",
"scripts/content_staffTraveler.js"
],
"matches": [
"<all_urls>"
],
"type": "module",
"content_security_policy": "script-src 'self' 'unsafe-eval' 'unsafe-inline' 'unsafe-hashes' https://travel.*.com/TravelNet/*; object-src 'self'"
},
{
"resources": [
"scripts/main_staffTraveler.js",
"scripts/main_travelNet.js",
"scripts/object_definitions.js"
],
"matches": ["<all_urls>"],
"type": "module",
"content_security_policy": "script-src 'self' 'unsafe-eval' 'unsafe-inline' 'unsafe-hashes' https://travel.*.com/TravelNet/*; object-src 'self'"
}
],
"action": {
"default_icon": {
"16": "images/ext-icon.png",
"24": "images/ext-icon.png",
"32": "images/ext-icon.png"
},
"default_title": "Staff Traveler Helper",
"default_popup": "pages/popup.html",
"content_security_policy": "script-src 'self' 'unsafe-eval' 'unsafe-inline' 'unsafe-hashes' https://travel.*.com/TravelNet/*; object-src 'self'"
}
}
我尝试多次迭代将不同版本的 CSP 添加到清单文件中,但总是导致相同的错误。
这是允许的吗? “在 Manifest V3 中,禁止引用外部或非静态内容的所有 CSP 源”,参见 https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/内容_安全_政策
我也在努力解决这个问题
如果您的配置和错误消息同步,则 CSP 数量将多于您定义的数量。其中之一可能是在您需要修改的响应标头中设置的。它可以由您的代码、框架、Web 服务器或代理默认设置。添加其他策略将不允许受现有策略限制的内容。
就我而言,这有效
"content_scripts": [ {
// ...
"world": "MAIN",
// ...
} ],
https://developer.chrome.com/docs/extensions/mv3/manifest/content_scripts/#world-timings
您的浏览器附加了第三方软件(如扩展程序),导致此错误。 meit 是防病毒软件扩展和 Orangemonkey 脚本。我不得不卸载