Firefox扩展中的远程Js文件
[英]Remote Js file in Firefox extension
问题描述
I am coding firefox add-on for my website visitors. 
我正在为网站访问者编码firefox插件。 I am trying to make that extension load remote javascript file, so visitors can change settings and options in their profile on website for addon, and addon loads it via remote js. 我正在尝试使该扩展名加载远程javascript文件,以便访问者可以在网站上的个人资料中更改插件的设置和选项,然后插件通过远程js加载它。 Here is what i tried: 这是我尝试过的:
if(window.location.hostname=="link") {
pagesload='http://link/file.js?v='+randnw;
var req = new XMLHttpRequest();
req.open('GET', pagesload, false);
req.send();
var contents = req.responseText;
eval(contents);
}
1 个解决方案
解决方案1
4 2015-02-16 00:35:43
Don't! 别!
Don't ever do something like that! 永远不要做那样的事! This is a security nightmare (even if you'd run it just in a content script). 这是一个安全噩梦(即使您只是在内容脚本中运行它)。
If you ever plan to publish the add-on, in the mozilla add-ons gallery (AMO) or not, as doing something like this would violate the Add-on Guidelines , your AMO submission would be rejected and/or your self-hosted add-on would be blocklisted for being unsafe upon discovery. 如果您打算在Mozilla附加组件库(AMO)中发布或不发布该附加组件,因为这样做会违反“附加组件准则” ,则您的AMO提交将被拒绝和/或自行托管由于发现不安全,该插件将被列入黑名单。
Why is this unsafe? 为什么这样不安全?
- The remote script you're loading will run in another, higher (security) context, which is show-stopper. 您正在加载的远程脚本将在另一个更高的(安全)上下文中运行,即show-stopper。 When running in a content script, it might do everything what the content script can do incl. 在内容脚本中运行时,它可能会执行内容脚本可以执行的所有操作,包括。 (abusively) messaging fully privileged SDK modules incl. (滥用)消息传递完全特权的SDK模块,包括
main.js.main.jsWhen running in an SDK module, it would be fully privileged and can do whatever the system user account can do.在SDK模块中运行时,它将具有完全特权,并且可以执行系统用户帐户可以执行的任何操作。 Stealing all user cookies would be only a first step. 窃取所有用户Cookie只是第一步。 - The remote script can not be trusted, ever. 永远无法信任远程脚本。
- When transmitted over http, an attacker might easily mount man-in-the-middle attacks. 通过http传输时,攻击者可能会轻易发起中间人攻击。
- When transmitted over https, while man-in-the-middle attacks become far less feasible, the server operator can do whatever they want. 当通过https传输时,中间人攻击变得不那么可行了,服务器操作员可以做任何他们想做的事情。 And the server operator is not necessarily you yourself. 服务器操作员不一定是您自己。 The server might have been compromised in the meantime or ownership of the domain might have been transferred. 同时,服务器可能已受到威胁,或者域的所有权可能已转移。
Instead 代替
Instead of eval uating some remote script, only exchange data, such as JSON, XML, plain text, etc. and verify the data before using it (don't simply trust remote data). 无需eval某些远程脚本,而仅交换数据(例如JSON,XML,纯文本等)并在使用之前验证数据(不要简单地信任远程数据)。
How to retrieve 如何找回
From an SDK module, incl. 从SDK模块,包括 main.js , you may use the request or net/xhr module, both of which do not have a same-origin policy. main.js ,您可以使用request或net/xhr模块,这两个模块均没有同源策略。
Content scripts can be made into cross-domain content scripts should the need arise, but they can use XMLHttpRequest for the same domain they are running on even without it. 如有需要,可以将内容脚本转换为跨域内容脚本 ,但是即使没有,它们也可以将XMLHttpRequest用于运行的同一域。
Your question also has a snippet using synchronous XHR. 您的问题也有一个使用同步XHR的代码段。 Don't use synchronous XHR. 不要使用同步XHR。 It is strongly discouraged and considered a bad practice on the web, and even more so in add-ons (and not really officially supported there anyway). 强烈建议不要这样做,并认为它是Web上的不良做法,在附加组件中则更是如此(无论如何,实际上并没有得到官方的支持)。
Why doesn't the code from your question work? 为什么问题中的代码不起作用?
No idea, you didn't provide enough details to reproduce the problem. 不知道,您没有提供足够的详细信息来重现问题。 Eg you haven't even mentioned where that code is supposed to work ( main.js , a content script, ...) 例如,您甚至都没有提到该代码应该在哪里工作( main.js ,内容脚本等)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.