[英]XMLHTTPRequest vulnerabilities when doing cross origin requests from a Chrome extension?
You can do cross origin requests with Chrome extensions.您可以使用 Chrome 扩展程序执行跨源请求。 I created a test Chrome extension to fiddle with this.我创建了一个测试 Chrome 扩展来解决这个问题。 It gets all the code in a specific page from a site at the click of a button.它通过单击按钮从站点获取特定页面中的所有代码。
All I want from the page is data (just some text and numbers) to then display it in the options page of the extension.我想要的页面只是数据(只是一些文本和数字),然后将其显示在扩展的选项页面中。
The way I'm extracting this data is by traversing the document in the response (the response
or responseXML
property of the request).我提取此数据的方式是遍历响应中的文档(请求的response
或responseXML
属性)。 For example, I use querySelectorAll
to get a bunch of elements, then I put all of their textContent
properties in an array, then I put each element on the array in a <ul>
in the DOM of the extension page.例如,我使用querySelectorAll
获取一堆元素,然后我将它们的所有textContent
属性放在一个数组中,然后我将数组中的每个元素放在扩展页面的 DOM 中的<ul>
中。
Lastly, after I request a particular page from the site, I store the response document in my localStorage
(only the last page requested will be stored, overwriting the previous page stored).最后,在我从站点请求特定页面后,我将响应文档存储在我的localStorage
(仅存储请求的最后一个页面,覆盖存储的前一个页面)。 I'm doing this by storing the outerHTML
of the response element (through document.documentElement.outerHTML
).我通过存储响应元素的outerHTML
(通过document.documentElement.outerHTML
)来做到这一点。 Then when I refresh the extension page, I use DOMParser
and parseFromString
to convert it back to a document.然后当我刷新扩展页面时,我使用DOMParser
和parseFromString
将其转换回文档。 After it's been converted back to a document, the stuff in the previous paragraph happens again (the DOM traversing and extraction of data).转换回文档后,上一段的内容再次发生(DOM 遍历和数据提取)。
Any potential security issues?任何潜在的安全问题?
MDN says this: MDN 是这样说的:
"Processing a responseText property containing an HTML document If you use XMLHttpRequest to get the content of a remote HTML webpage, the responseText property is a string containing the raw HTML. This could prove difficult to manipulate and analyze. There are three primary ways to analyze and parse this raw HTML string: “处理包含 HTML 文档的 responseText 属性如果您使用 XMLHttpRequest 获取远程 HTML 网页的内容,则 responseText 属性是一个包含原始 HTML 的字符串。这可能难以操作和分析。分析的主要方法有以下三种并解析这个原始 HTML 字符串:
- Use the XMLHttpRequest.responseXML property as covered in the article https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/HTML_in_XMLHttpRequest使用文章https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/HTML_in_XMLHttpRequest 中介绍的 XMLHttpRequest.responseXML 属性
HTML in XMLHttpRequest. XMLHttpRequest 中的 HTML。 Inject the content into the body of a document fragment via fragment.body.innerHTML and traverse the DOM of the fragment.通过 fragment.body.innerHTML 将内容注入到文档片段的主体中,并遍历片段的 DOM。
RegExp can be used if you always know the content of the HTML responseText beforehand.如果您总是事先知道 HTML responseText 的内容,则可以使用 RegExp。 You might want to remove line breaks, if you use RegExp to scan with regard to linebreaks.如果您使用 RegExp 扫描换行符,您可能想要删除换行符。 However, this method is a "last resort" since if the HTML code changes slightly, the method will likely fail."但是,此方法是“最后的手段”,因为如果 HTML 代码稍有更改,该方法可能会失败。”
I am using the first method.我正在使用第一种方法。
This page talks about dangerous and safe methods of handling the response (although here it's talking about responseText, not an html document gotten from response or responseXML): https://developer.chrome.com/apps/xhr此页面讨论了处理响应的危险和安全方法(尽管这里讨论的是 responseText,而不是从 response 或 responseXML 获取的 html 文档): https : //developer.chrome.com/apps/xhr
Summary:概括:
// 1. WARNING! Might be evaluating an evil script!
var resp = eval("(" + xhr.responseText + ")");
// 2. WARNING! Might be injecting a malicious script!
document.getElementById("resp").innerHTML = xhr.responseText;
// 3. JSON.parse does not evaluate the attacker's scripts.
var resp = JSON.parse(xhr.responseText);
// 4. innerText does not let the attacker inject HTML elements.
document.getElementById("resp").innerText = xhr.responseText;
The only issue here is number 2. I have used innerHTML to create a <li>
's in a <ul>
with data from the response doc.这里唯一的问题是数字 2。我使用了 innerHTML 在<ul>
创建了一个<li>
,其中包含来自响应文档的数据。 Now, I know this site, but I guess I could change this to not use innerHTML.现在,我知道这个站点,但我想我可以将其更改为不使用innerHTML。
Safe API/properties:安全 API/属性:
textContent
or innerText
are absolutely secure textContent
或innerText
是绝对安全的
responseXML
is secure, see step 5 in XHR specification : responseXML
是安全的,请参阅XHR 规范中的第 5 步:
scripting support disabled on received bytes对接收的字节禁用脚本支持
DOMParser
API is secure just the same. DOMParser
API 同样是安全的。
Potentially unsafe:可能不安全:
innerHTML
won't run <script>
elements, see ( HTML5 spec ): innerHTML
不会运行<script>
元素,请参阅( HTML5 规范):
When inserted using the innerHTML and outerHTML attributes, they do not execute at all.当使用innerHTML 和outerHTML 属性插入时,它们根本不执行。
but it'll run inline code in event handler attributes like <img src="x" onerror="alert(1)">
and although normally this won't run in an extension page due to the default CSP forbidding inline code in extension pages, but many authors need to relax the CSP.但它会在诸如<img src="x" onerror="alert(1)">
类的事件处理程序属性中运行内联代码,尽管通常这不会在扩展页面中运行,因为默认 CSP 禁止扩展中的 内联代码页,但许多作者需要放松 CSP。
Even if you didn't relax the default CSP and want to use the raw foreign html in the main document, you need to strip <style>
and <link>
elements as those can alter the main page appearance, remove the on
attributes, <script>
elements as well (just for consistency).即使你没有放松默认的 CSP 并想在主文档中使用原始的外国 html,你也需要去除<style>
和<link>
元素,因为它们可以改变主页面的外观,删除on
属性, <script>
元素也是如此(只是为了一致性)。 Or put that HTML inside an iframe with sandbox
attribute instead.或者将该 HTML 放入带有sandbox
属性的iframe 中。
There's also Mozilla's policy to consider:还有 Mozilla 的政策需要考虑:
If your project is one that will undergo any form of security review, using innerHTML most likely will result in your code being rejected.如果您的项目将接受任何形式的安全审查,那么使用 innerHTML 很可能会导致您的代码被拒绝。 For example, if you use innerHTML in a browser extension and submit the extension to addons.mozilla.org, it will not pass the automated review process.例如,如果您在浏览器扩展中使用了innerHTML 并将扩展提交到addons.mozilla.org,它将不会通过自动审核过程。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.