All geek questions in one place

Refused to run the JavaScript URL because it violates the following content security policy directive:

Before posting, I read the posts related to the header, and I'm sure there is a solution to my problem, but I'm such a n00b with extensions, JavaScript and JQuery. I can not tell...

Failure Code:

innerframe = $("<iframe/>").css({ top: WIDGET_TITLE_HEIGHT + "px", left: "0px", width: "100%", height: "1000px", border: "none", align: "center", display: "block"}) .appendTo(innerdiv) .load(function() { onStart() }) .attr({ frameBorder: 0, //scrolling:0, src: 'javascript:(function(){document.open();document.domain="' + document.domain + '";document.write(\' <!DOCTYPE html>' + '\');document.close();})();' })[0];

The string src: 'javascript ....' is an intruder, but I don’t know what this solution is.

The messages I read make it clear that the code is disrupting Chrome CSP, and I saw mention of messaging, sandboxing, etc.

I hope someone can provide a solution and help me understand what is happening.

Thanks in advance!

+4
source share
2 answers

Your script probably violates the same origin rule , which states that scripts can only be executed on pages that come from the same domain. To be specific, they must have the same protocol and host.

Your line document.write(\' <!DOCTYPE html>' + '\'); probably the culprit.

+1
source

Perhaps this page will help you.

http://developer.chrome.com/apps/sandboxingEval.html

This page talks about the sandbox.

0
source

Source: https://habr.com/ru/post/1501114/

More articles:


All Articles