Chrome Extension: Possible to Inject External JavaScript in Secured Pages?

https://stackoverflow.com/questions/22585668

19-06-2023
|

Pregunta

I have been pulling my hair all day.

I am creating a tool for Facebook.

I am trying to inject Remote Javascript into my Chrome Extension.

It seems to be working on all other sites, except for on Facebook.com because the http protocol is secures: HTTPS

The Script is getting injected when I am browsing other sites that does not use HTTPS

Is it not possible to inject external javascript to provide dynamic content for secured sites?

I am using the following code to inject external js:

app.js (part of the extension)

loads the following:

chrome.tabs.executeScript(tabId, {file: "js/loadexternal.js"});

Then /js/loadexternal.js does the following:

var s = document.createElement('script');
s.type = 'text/javascript';
s.src ='https://www.website.com/loader.js?client=tacx';
document.getElementsByTagName('head')[0].appendChild(s);

Please note: I am also loading the remote script from a Secured (HTTPS) server. Doesn't help!

This loads the loader.js file whenever I am not on a Secured page...

But it is not loading on Facebook which seems to be always on HTTPS protocol.

Please help me. Thank you.

PS> Is there a work around to display dynamically compiled results within my tool extension for FB?

Solución

If you look at the HTTP response headers on facebook's page, you'll see the following line:

content-security-policy: default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net *.atlassolutions.com;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com;

Facebook has a security policy disallowing scripts from domains that aren't part of this list, so I don't think you'll be able to load an external script from your extension.

If that header wasn't there, you would normaly be able to include scripts hosted on https:// protocol.

Licenciado bajo: CC-BY-SA con atribución

No afiliado a StackOverflow