[英]How to overcome Ajax Content Security Policy directive?
I am injecting some JS code on various websites (using Selenium and Python) to send POST requests to my local web server. 我正在各种网站(使用Selenium和Python)上注入一些JS代码,以将POST请求发送到本地Web服务器。 On some websites it works fine.
在某些网站上,它可以正常工作。 But mostly, I don't get the requests.
但大多数情况下,我没有收到请求。 Figured it's because of the Content Security Policy.
认为这是由于内容安全策略。
For example, when I try to run the code using Console in Chrome on github.com, I get a following error: 例如,当我尝试在github.com上的Chrome中使用控制台运行代码时,出现以下错误:
Refused to connect to ' http://10.50.50.127:7777/ ' because it violates the following Content Security Policy directive: "connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com ...".
拒绝连接到“ http://10.50.50.127:7777/ ”,因为它违反了以下内容安全策略指令:“ connect-src'self'uploads.github.com status.github.com collector.githubapp.com api”。 github.com www.google-analytics.com ...”。
My code looks like this: 我的代码如下所示:
function sendData() {
var request = new XMLHttpRequest();
request.open('POST', 'http://10.50.50.127:7777', false);
request.send("test");
}
I did some research on my own, and found a possible solution - to use a local proxy server and send data to a relative path like "/test". 我自己进行了一些研究,发现了一个可能的解决方案-使用本地代理服务器并将数据发送到相对路径(例如“ / test”)。 But it's pretty complicated to write a proxy server from scratch.
但是从头开始编写代理服务器非常复杂。
So, what can I do to overcome this Content Security Policy? 因此,我该怎么做才能克服此内容安全政策?
If you controlled over both of sides then you can use. 如果您控制了双方,则可以使用。
https://easyxdm.net/wp/ https://easyxdm.net/wp/
Regards 问候
I figured it! 我想通了! Turns out you can just disable all of the security checks:
事实证明,您可以禁用所有安全检查:
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument('--disable-web-security')
chrome_options.add_argument('--allow-running-insecure-content')
browser = webdriver.Chrome(chrome_options=chrome_options)
If your using Chrome and you want to disable Content Security Policy you can also use a plugin called Disable Content-Security-Policy from Chrome Web Store. 如果您使用的是Chrome,并且想要禁用内容安全策略,则还可以使用Chrome Web Store中名为Disable Content-Security-Policy的插件。 This is the plugin for Chrome to disable headers.
这是Chrome用来禁用标头的插件。 I inject JS via Tampermonkey (Chrome) and this works fine.
我通过Tampermonkey(Chrome)注入了JS,效果很好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.