Re: [crx] How to prevent inline JavaScript execution?
486 views
Skip to first unread message
PhistucK
Feb 25, 2013, 10:47:23 AM2/25/13
to anon, chromium-...@chromium.org
Depending on your context (webpage? background page? extension page?), you might be able to leverage Content Security Policy.
☆PhistucK
On Sat, Feb 23, 2013 at 8:29 PM, anon <shd...@gmail.com> wrote:
I want to block certain script tag from execution.
For external script I can use beforeload event to reject them.
But how to prevent execution of inline JavaScript?
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.
anon
Feb 27, 2013, 10:57:21 PM2/27/13
to chromium-...@chromium.org, anon
I want to block webpage's inline (and external) scripts, and later insert my own scripts into webpage.
It seems that I can hook webRequest.onHeadersReceived to insert a fake CSP header to disable inline scripts?
However then how do I insert my own scripts into webpage? If my scripts are dynamically generated.
On Monday, February 25, 2013 11:47:23 PM UTC+8, PhistucK wrote:
It seems that I can hook webRequest.onHeadersReceived to insert a fake CSP header to disable inline scripts?
However then how do I insert my own scripts into webpage? If my scripts are dynamically generated.
On Monday, February 25, 2013 11:47:23 PM UTC+8, PhistucK wrote:
Depending on your context (webpage? background page? extension page?), you might be able to leverage Content Security Policy.
☆PhistucK
On Sat, Feb 23, 2013 at 8:29 PM, anon <shd...@gmail.com> wrote:
I want to block certain script tag from execution.
For external script I can use beforeload event to reject them.
But how to prevent execution of inline JavaScript?
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
PhistucK
Feb 28, 2013, 2:39:30 AM2/28/13
to anon, chromium-...@chromium.org
I guess you could only allow scripts from your extension host or blob scheme (and create the dynamic script as a blob and use window.URL.createObjectURL to get a URL from which you could load it).
I have not tried it, though.
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
Reply all
Reply to author
Forward
0 new messages