为什么内联JS块不安全?
[英]Why are inline JS blocks unsafe?
问题描述
I'm reading Chrome extension document " Content Security Policy (CSP) ". 
我正在阅读Chrome扩展程序文档“ 内容安全策略(CSP) ”。 It says: 它说:
Inline JavaScript, as well as dangerous string-to-JavaScript methods like eval, will not be executed.
<button onclick="...">).<button onclick="...">)。...
There is no mechanism for relaxing the restriction against executing inline JavaScript.
Why are inline <script> blocks unsafe? 为什么内联<script>块不安全? Can anyone explain it? 有人能解释一下吗? It will be better if you can give examples. 如果你能举例,会更好。
Thank you. 谢谢。
1 个解决方案
解决方案1
5 已采纳 2012-08-11 16:04:30
As the page says: 正如页面所说:
The first restriction wipes out a huge class of cross-site scripting attacks by making it impossible for you to accidentally execute script provided by a malicious third-party.
Basically any script you load needs to be in a separate file accessible locally to the extension. 基本上,您加载的任何脚本都需要位于扩展本地可访问的单独文件中。 This prevents you from loading 3rd party scripts that get injected into your page or including them like: 这可以防止您加载注入页面或包含它们的第三方脚本,如:
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
An example of this is if you have a form a user can fill out. 例如,如果您有一个用户可以填写的表单。 The user can enter a script tag with some JS in it. 用户可以在其中输入带有一些JS的脚本标记。 Let's say it's like a discussion forum. 让我们说它就像一个讨论论坛。 I go in and make a topic but it has some hidden JS in it. 我进去做一个主题,但它有一些隐藏的JS。 Let's also assume you don't clean that out before posting it. 我们还假设您在发布之前不要清除它。 Now my post has JS that will execute every time somebody views it. 现在我的帖子有JS,每当有人看到它时都会执行。 This prevents that script from being executed. 这可以防止该脚本被执行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.