问题描述
我正在撰写一个chrome扩展程序,其内容安全策略的白名单中需要有两个域。我看了官方文档,但我仍然无法弄清楚正确的语法。
以下内容似乎不起作用:
content_security_policy:script-src'self'https://foo.com https://example.com; object-src' self'
编辑:
我的内容脚本和我的弹出窗口都能够访问foo.com,但是无法访问example.com。
Chrome扩展程序能够在CSP中有多个来源列入白名单?
从我对CSP的了解来看,这看起来在语法上是正确的。 与您的语法一致, :
编辑: b 只需确认,Chrome扩展程序就可以将多个HTTPS来源列入白名单。您可以构建一个简单的扩展来测试它: manifest.json csp_test.html csp_test.js 该扩展从远程域加载jQuery和jQuery UI。如果您从CSP中删除任何来源,您会看到 I am writting a chrome extension that needs to have two domains in its whitelist for the content security policy. I've looked at the official docs, but I still can't seem to figure out the proper syntax. The following does not seem to work: EDIT: Both my content script and my popup are able to reach foo.com, however, neither can reach example.com. Are chrome extensions capable of having multiple sources whitelisted in the CSP? From what I know about CSPs, this looks syntactically correct. The HTML5 Rocks article on CSP agrees with your syntax, saying: However, your problem may be that either: This CSP disallows all subdomains, including If any of your script requests redirect to a non-permitted domain, the request will fail. For example, if EDIT: Just to confirm, yes, Chrome extensions can whitelist multiple HTTPS origins. You can build a simple extension to test this: manifest.json csp_test.html csp_test.js This extension loads jQuery and jQuery UI from remote domains. If you remove either origin from the CSP, you will see an " 这篇关于将内容安全策略中的多个域列入白名单的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!
<$ p
name:CSP Test,
version:1.0,
manifest_version:2,
browser_action:{
default_popup:csp_test.html
},
content_security_policy:script-src'self'https://www.iana.org https:/ /ajax.googleapis.com; object-src'self'
}
< script src =https://www.iana.org/_js/ 2013.1 /的jquery.js>< /脚本>
< script src =https://ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js>< / script>
< script src =csp_test.js>< / script>
alert(jQuery)
alert(jQuery.ui)
未定义警报,表示其中一个库无法加载。"content_security_policy": "script-src 'self' https://foo.com https://example.com; object-src 'self'"
www.foo.com and www.example.com. You can add those subdomain hostnames explicitly, or you can use https://*.foo.com to allow all subdomains.https://example.com/foo.js responds with a 301 or 302 redirect to https://notpermitted.com/foo.js (not-permitted origin) or https://www.example.com/foo.js (non-permitted subdomain), the request will fail according to the spec:{
"name":"CSP Test",
"version":"1.0",
"manifest_version":2,
"browser_action":{
"default_popup":"csp_test.html"
},
"content_security_policy": "script-src 'self' https://www.iana.org https://ajax.googleapis.com; object-src 'self'"
}
<script src="https://www.iana.org/_js/2013.1/jquery.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
<script src="csp_test.js"></script>
alert(jQuery)
alert(jQuery.ui)
undefined" alert signifying that one of the libraries failed to load.