[英]Chrome Extension: yql API ERROR: Content Security
I am trying to make a call to yql api. 我正在尝试致电yql api。 But get an error: I have the following
但是出现错误:我有以下情况
Manfiest.json:
"content_security_policy": "script-src 'self'; object-src 'self'",
Error:
Refused to load the script 'http://query.yahooapis.com/v1/public/yql?q=select%20*%20from%20html%20where…withkeys&callback=jQuery20208888747137971222_1400373036635&_=1400373036638' because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".'
I tried doing it w/o having the "content_security_policy" But I would still get an error. 我尝试不使用“ content_security_policy”来执行此操作,但仍然会收到错误消息。
The code to do the call: 进行调用的代码:
yqlAPI = 'http://query.yahooapis.com/v1/public/yql?q=' + encodeURIComponent(query) + ' &format=json&env=store%3A%2F%2Fdatatables.org%2Falltableswithkeys&callback=?';
$.getJSON(yqlAPI, function(r){
$.each(r.query.results.li, function(){
if(typeof this.font !== 'undefined')
{
gogoAnime1.push([this.a.href,this.font.content]);
}
});
gotFollowersOfA(gogoAnime1);});
I have been looking in the CSP ( https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-remote-script ) But I don't understand what I have to add to my manifest.json. 我一直在寻找CSP( https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-remote-script ),但是我不明白我必须添加到manifest.json中的内容。 To make it work all help would be appreciated!
为了使它起作用,所有帮助将不胜感激!
I wonder if that's because of requesting an external object. 我想知道这是否是因为请求外部对象。
Content Security Policy (CSP) - Google Chrome 内容安全政策(CSP)-Google Chrome
If you have a need for some external JavaScript or object resources , you can relax the policy to a limited extent by whitelisting secure origins from which scripts should be accepted.
如果您需要一些外部JavaScript或对象资源 ,则可以通过将应接受脚本的安全来源列入白名单 ,在一定程度上放宽该策略。
so adjust it accordingly, manfiest.json: 因此,请相应调整manfiest.json:
"content_security_policy":
"script-src 'self'; object-src 'self' https://query.yahooapis.com/"
And you'll need to use HTTPS origin: 而且您需要使用HTTPS来源:
As man-in-the-middle attacks are both trivial and undetectable over HTTP, those origins will not be accepted .
由于中间人攻击既琐碎又无法通过HTTP检测到,因此这些来源将不被接受 。 Currently, we allow whitelisting origins with the following schemes: HTTPS, chrome-extension, and chrome-extension-resource.
目前,我们允许使用以下方案将来源列入白名单: HTTPS,chrome-extension和chrome-extension-resource。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.