浏览器扩展(CrossRider)iframe来源和父级访问
[英]Browser Extension (CrossRider) iframe origin and parent access
问题描述
I am developing with Crossrider an extension at the moment. 
目前,我正在与Crossrider进行扩展。 I am now in the process of making it working also on IE and Chrome. 我现在正在使其也可以在IE和Chrome上运行。 The extension adds an IFrame to every page as a sidebar and from the iframe interacts with the parent window. 该扩展程序将IFrame作为侧边栏添加到每个页面,并从iframe与父窗口进行交互。 To make this work I use Crossriders "recommendation" of using a data encoded block for the iframe instead of a URL to work around the same domain issue for security. 为了使这项工作有效,我使用Crossriders的“建议”,即为iframe使用数据编码的块而不是使用URL来解决同一域的安全问题。
This works in Firefox (and with some hacking also in IE), however in Chrome i have the following issues: 这在Firefox中有效(并且在IE中也有一些黑客攻击),但是在Chrome中,我遇到以下问题:
Blocked a frame with origin "null" from accessing a cross-origin frame.
From what I read the only way around it is to actually be on the same domain (not possible as the plugin works for every website) or use cross window messaging (because of a rich interaction we have with the parent a lot of overhead). 据我了解,唯一的解决方法是实际上位于同一个域(该插件无法在每个网站上使用)或使用跨窗口消息传递(由于我们与父级之间进行了丰富的交互,因此开销很大)。 So my question is, how can I configure override or whatever to fix this for Chrome, is there a way? 所以我的问题是,我该如何配置覆盖或为Chrome修复此问题,有办法吗? As a quick work around it can even be a setting I have to do in chrome. 作为快速解决方案,它甚至可能是我必须在chrome中进行的设置。
But in general I think there should be a way around this because in the end I already have full access to the browser because the extension is installed, so I assume I should be able to override this somehow? 但是总的来说,我认为应该有一种解决方法,因为最后由于安装了扩展程序,我已经可以完全访问浏览器了,所以我认为我应该能够以某种方式覆盖它?
2 个解决方案
解决方案1
2 2015-07-14 13:19:38
In general, iframes are protected by security policies implemented by browsers. 通常,iframe受浏览器实施的安全策略保护。 Hence, the simplest way to interact between an iframe and the extension running on its parent page, is to send messages between them. 因此,在iframe和在其父页面上运行的扩展之间进行交互的最简单方法是在它们之间发送消息。
You can achieve this by enabling the ( Settings >) Run in Iframes feature in the IDE, and then differentiate between the iframe and its parent in the extension.js code. 您可以通过启用IDE中的( 设置 >)在iframe中运行功能来实现此目的,然后在extension.js代码中区分iframe及其父项。 The following example should help you understand the general idea: 下面的示例应帮助您理解基本概念:
extension.js : extension.js :
appAPI.ready(function($) {
if (appAPI.dom.isIframe()) {
// iframe code
appAPI.message.addListener(function(msg) {
if (msg.action === 'someAction') {
...
// send response
appAPI.message.toCurrentTabWindow({
action:'otherAction',
response:'otherResponse'
});
}
});
// end iframe code
return;
}
// Parent window code
appAPI.message.addListener(function(msg) {
if (msg.action === 'otherAction') {
...
// send response
appAPI.message.toCurrentTabIframes({
action:'someAction',
response:'someResponse'
});
}
});
});
For more information on the methods used in the example, see appAPI.dom.isIframe , appAPI.message.toCurrentTabIframes , and appAPI.message.toCurrentTabWindow . 有关示例中使用的方法的更多信息,请参见appAPI.dom.isIframe , appAPI.message.toCurrentTabIframes和appAPI.message.toCurrentTabWindow 。
[ Disclosure : I am a Crossrider employee] [ 披露 :我是Crossrider员工]
解决方案2
1 已采纳 2015-07-21 12:54:08
You can use object urls as your iframe src. 您可以将对象网址用作iframe src。 they considered as the same origin as the creating page. 它们被视为与创建页面相同的来源。 https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL https://developer.mozilla.org/zh-CN/docs/Web/API/URL/createObjectURL
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.