堆栈内存溢出
  简体   繁体   English

从 Chrome 扩展程序执行跨源请求时存在 XMLHTTPRequest 漏洞?

[英]XMLHTTPRequest vulnerabilities when doing cross origin requests from a Chrome extension?

 原文  2020-01-20 10:19:53       javascript/ html/ google-chrome-extension/ cross-domain

问题描述

You can do cross origin requests with Chrome extensions.您可以使用 Chrome 扩展程序执行跨源请求。 I created a test Chrome extension to fiddle with this.我创建了一个测试 Chrome 扩展来解决这个问题。 It gets all the code in a specific page from a site at the click of a button.它通过单击按钮从站点获取特定页面中的所有代码。

All I want from the page is data (just some text and numbers) to then display it in the options page of the extension.我想要的页面只是数据(只是一些文本和数字),然后将其显示在扩展的选项页面中。

The way I'm extracting this data is by traversing the document in the response (the response or responseXML property of the request).我提取此数据的方式是遍历响应中的文档(请求的responseresponseXML属性)。 For example, I use querySelectorAll to get a bunch of elements, then I put all of their textContent properties in an array, then I put each element on the array in a <ul> in the DOM of the extension page.例如,我使用querySelectorAll获取一堆元素,然后我将它们的所有textContent属性放在一个数组中,然后我将数组中的每个元素放在扩展页面的 DOM 中的<ul>中。

Lastly, after I request a particular page from the site, I store the response document in my localStorage (only the last page requested will be stored, overwriting the previous page stored).最后,在我从站点请求特定页面后,我将响应文档存储在我的localStorage (仅存储请求的最后一个页面,覆盖存储的前一个页面)。 I'm doing this by storing the outerHTML of the response element (through document.documentElement.outerHTML ).我通过存储响应元素的outerHTML (通过document.documentElement.outerHTML )来做到这一点。 Then when I refresh the extension page, I use DOMParser and parseFromString to convert it back to a document.然后当我刷新扩展页面时,我使用DOMParserparseFromString将其转换回文档。 After it's been converted back to a document, the stuff in the previous paragraph happens again (the DOM traversing and extraction of data).转换回文档后,上一段的内容再次发生(DOM 遍历和数据提取)。

Any potential security issues?任何潜在的安全问题?

MDN says this: MDN 是这样说的:

"Processing a responseText property containing an HTML document If you use XMLHttpRequest to get the content of a remote HTML webpage, the responseText property is a string containing the raw HTML. This could prove difficult to manipulate and analyze. There are three primary ways to analyze and parse this raw HTML string: “处理包含 HTML 文档的 responseText 属性如果您使用 XMLHttpRequest 获取远程 HTML 网页的内容,则 responseText 属性是一个包含原始 HTML 的字符串。这可能难以操作和分析。分析的主要方法有以下三种并解析这个原始 HTML 字符串:

  1. Use the XMLHttpRequest.responseXML property as covered in the article https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/HTML_in_XMLHttpRequest使用文章https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/HTML_in_XMLHttpRequest 中介绍的 XMLHttpRequest.responseXML 属性

  2. HTML in XMLHttpRequest. XMLHttpRequest 中的 HTML。 Inject the content into the body of a document fragment via fragment.body.innerHTML and traverse the DOM of the fragment.通过 fragment.body.innerHTML 将内容注入到文档片段的主体中,并遍历片段的 DOM。

  3. RegExp can be used if you always know the content of the HTML responseText beforehand.如果您总是事先知道 HTML responseText 的内容,则可以使用 RegExp。 You might want to remove line breaks, if you use RegExp to scan with regard to linebreaks.如果您使用 RegExp 扫描换行符,您可能想要删除换行符。 However, this method is a "last resort" since if the HTML code changes slightly, the method will likely fail."但是,此方法是“最后的手段”,因为如果 HTML 代码稍有更改,该方法可能会失败。”

I am using the first method.我正在使用第一种方法。

This page talks about dangerous and safe methods of handling the response (although here it's talking about responseText, not an html document gotten from response or responseXML): https://developer.chrome.com/apps/xhr此页面讨论了处理响应的危险和安全方法(尽管这里讨论的是 responseText,而不是从 response 或 responseXML 获取的 html 文档): https : //developer.chrome.com/apps/xhr

Summary:概括:

    // 1. WARNING! Might be evaluating an evil script!
    var resp = eval("(" + xhr.responseText + ")");

    // 2. WARNING! Might be injecting a malicious script!
    document.getElementById("resp").innerHTML = xhr.responseText;

    // 3. JSON.parse does not evaluate the attacker's scripts.
    var resp = JSON.parse(xhr.responseText);

    // 4. innerText does not let the attacker inject HTML elements.
    document.getElementById("resp").innerText = xhr.responseText;

The only issue here is number 2. I have used innerHTML to create a <li> 's in a <ul> with data from the response doc.这里唯一的问题是数字 2。我使用了 innerHTML 在<ul>创建了一个<li> ,其中包含来自响应文档的数据。 Now, I know this site, but I guess I could change this to not use innerHTML.现在,我知道这个站点,但我想我可以将其更改为不使用innerHTML。

1 个解决方案

解决方案1
 1 已采纳  2020-01-20 13:48:54

Safe API/properties:安全 API/属性:

  • textContent or innerText are absolutely secure textContentinnerText是绝对安全的

  • responseXML is secure, see step 5 in XHR specification : responseXML是安全的,请参阅XHR 规范中的第 5 步

    scripting support disabled on received bytes对接收的字节禁用脚本支持

  • DOMParser API is secure just the same. DOMParser API 同样是安全的。

Potentially unsafe:可能不安全:

  • innerHTML won't run <script> elements, see ( HTML5 spec ): innerHTML不会运行<script>元素,请参阅( HTML5 规范):

    When inserted using the innerHTML and outerHTML attributes, they do not execute at all.当使用innerHTML 和outerHTML 属性插入时,它们根本不执行。

    but it'll run inline code in event handler attributes like <img src="x" onerror="alert(1)"> and although normally this won't run in an extension page due to the default CSP forbidding inline code in extension pages, but many authors need to relax the CSP.但它会在诸如<img src="x" onerror="alert(1)">类的事件处理程序属性中运行内联代码,尽管通常这不会在扩展页面中运行,因为默认 CSP 禁止扩展中的 内联代码页,但许多作者需要放松 CSP。

    Even if you didn't relax the default CSP and want to use the raw foreign html in the main document, you need to strip <style> and <link> elements as those can alter the main page appearance, remove the on attributes, <script> elements as well (just for consistency).即使你没有放松默认的 CSP 并想在主文档中使用原始的外国 html,你也需要去除<style><link>元素,因为它们可以改变主页面的外观,删除on属性, <script>元素也是如此(只是为了一致性)。 Or put that HTML inside an iframe with sandbox attribute instead.或者将该 HTML 放入带有sandbox属性的iframe 中

    There's also Mozilla's policy to consider:还有 Mozilla 的政策需要考虑:

    If your project is one that will undergo any form of security review, using innerHTML most likely will result in your code being rejected.如果您的项目将接受任何形式的安全审查,那么使用 innerHTML 很可能会导致您的代码被拒绝。 For example, if you use innerHTML in a browser extension and submit the extension to addons.mozilla.org, it will not pass the automated review process.例如,如果您在浏览器扩展中使用了innerHTML 并将扩展提交到addons.mozilla.org,它将不会通过自动审核过程。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Chrome扩展程序的跨域XMLHttpRequest返回状态0 - Cross-Origin XMLHttpRequest from Chrome Extension Returning Status 0 将XHR从Chrome扩展程序发送到PHP页面时出错:仅HTTP支持跨源请求 - Error when sending XHR from Chrome Extension to a PHP page: Cross origin requests are only supported for HTTP Chrome扩展程序将数据发布到Rails服务器跨域XMLHttpRequest - Chrome Extension Post Data to Rails Server Cross-Origin XMLHttpRequest Cross Origin Chrome扩展程序 - Cross Origin Chrome Extension 从 chrome 扩展启动 spring 上的交叉原点 - cross origin on spring boot from chrome extension 是否可以从Chrome中的内容脚本执行跨域XMLHttpRequest? - Is it possible to perform a Cross-Origin XMLHttpRequest from a content script in Chrome? XMLHttpRequest:仅支持跨源请求 - XMLHttpRequest: Cross origin requests are only supported chrome.tabs.executeScript(…)时,Chrome扩展程序存在跨源问题 - Cross origin issue with Chrome extension when chrome.tabs.executeScript(…) Chrome扩展中的跨源XMLHttpRequest - Cross-Origin XMLHttpRequest in chrome extensions vs2008中没有错误但在Chrome中错误= XMLHttpRequest无法加载文件:仅支持HTTP的跨源请求 - no error in vs2008 but in Chrome Error= XMLHttpRequest cannot load file: Cross origin requests are only supported for HTTP
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM