检查请求是否是 Chrome 扩展程序中的子资源完整性
[英]Check if a request is a subresource integrity in a Chrome extension
问题描述
Is it possible to check if a script/stylesheet is integrity protected via subresource-integrity (SRI) from a Chrome extension?
是否可以通过 Chrome 扩展程序的子资源完整性 (SRI) 检查脚本/样式表是否受到完整性保护?
I want to know this before the request is initiated, so this should be done with chrome.webRequest.onBeforeRequest .我想在请求发起之前知道这一点,所以这应该用chrome.webRequest.onBeforeRequest来完成。 But it gives no hints about the request as SRI is browser side.但它没有给出有关请求的提示,因为 SRI 是浏览器端。 Everything happens after the request has finished.一切都在请求完成后发生。
From my point of view the only way to get this information is to access the DOM directly.在我看来,获取此信息的唯一方法是直接访问 DOM。 This would mean I have to stall all requests until the HTML is completely parsed, which doesn't seem the way to go.这意味着我必须暂停所有请求,直到完全解析 HTML,这似乎不是可行的方法。
Maybe SRI is just too new to be accessible to extensions, as I didn't find it anywhere in the Chrome extension docs.也许 SRI 太新而无法访问扩展程序,因为我没有在 Chrome 扩展程序文档中的任何地方找到它。
1 个解决方案
解决方案1
3 已采纳 2017-03-22 05:42:08
Yes, you can determine if a resource is protected by subresource-integrity , prior to the request for the resource being made, by checking for the appropriate attribute(s) (ie integrity ) on the element specifying the resource as the element is added to the DOM.是的,您可以在发出资源请求之前,通过检查元素上指定资源的适当属性(即, integrity )来确定资源是否受subresource-integrity保护,因为该元素被添加到DOM。 You can have a content script that is executed at document_start (either specified in manifest.json ( run_at ), or injected using tabs.executeScript() 1 ( runAt )).您可以拥有在document_start执行的内容脚本(在manifest.json ( run_at ) 中指定,或使用tabs.executeScript() 1 ( runAt ) 注入)。 That script could then set up a MutationObserver to watch elements being placed in the DOM.然后,该脚本可以设置MutationObserver来监视放置在 DOM 中的元素。 Each appropriate element type (ie <script> and <link> ) would then need to be checked for using subresource-integrity.然后需要检查每个适当的元素类型(即<script>和<link> )是否使用 subresource-integrity。 This check/determination will occur prior to the webRequest.onBeforeRequest event.此检查/确定将在webRequest.onBeforeRequest事件之前发生。
Doing this does not stall all requests until the HTML is fully parsed.在完全解析 HTML 之前,这样做不会停止所有请求。 It performs the check as each element specifying a resource is entered into the DOM.当指定资源的每个元素输入到 DOM 时,它会执行检查。 On the other hand, obviously, any additional processing you introduce through the use of the MutationObserver does add some additional time to parsing the HTML, creating the DOM and loading all resources.另一方面,显然,您通过使用 MutationObserver 引入的任何额外处理都会增加一些额外的时间来解析 HTML、创建 DOM 和加载所有资源。
- Getting the timing correct to have a script executed at
document_startusingtabs.executeScript()is non-trivial.使用tabs.executeScript()获得正确的时间以在document_start执行脚本并tabs.executeScript()。 How to do so would be a separate question.如何做到这一点将是一个单独的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.