发表新帖
发表新帖

Chrome extension: loading a hidden page (without iframe)

前端 未结
关注
2 1691
有刺的猬
有刺的猬 2020-12-06 07:06

Is there a way to load a page, hidden from the user?

I can\'t use an iframe in a background page, because the page has frame-busting techniques.

相关标签:
2条回答
  • 故里飘歌
    2020-12-06 07:27

    You can use popUnder s to load data:

    var win2;
function loadPopUnder(){
win2 = window.open("about:blank","",
    width=150,height=150,scrollbars=0,resizable=0,toolbar=0,location=0,menubar=0,status=0,directories=0");
    win2.blur();
    window.focus()
}

win2.document.location.href='http://www.exampe.com/url';

    Actually they may open in a new tab in certain circumstances - you have to check the actual behavior.

    Also it is an advantage that this one is a browser independent solution.

    0 讨论(0)
  • 孤城傲影
    2020-12-06 07:47

    I'm afraid that you don't have any other option than inserting the iframe anyway. To bust the iframe buster, you can employ the following techniques:

    • If the iframe is blocked by the X-Frames-Option: DENY, just remove the header using the webRequest API - see Getting around X-Frame-Options DENY in a Chrome extension?.

    • If the frame buster uses something like

      if (top !== self) {
    top.location.href = location.href;
}

      Then block the scripted navigation by set the sandbox attribute on the iframe:

      var frame = document.createElement('iframe');
frame.sandbox = 'allow-scripts';
frame.src = 'data:text/html,<script>' +
    'if (top !== self) { top.location.href = location.href;}' +
    'alert(" (runs the rest of the code) ");' + 
    '</script>';
document.body.appendChild(frame);

      Navigation will be blocked without throwing any errors. The following message is logged to the console though:

      Unsafe JavaScript attempt to initiate navigation for frame with URL '(...URL of top page...)' from frame with URL '(....URL of frame..)'. The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.

    These methods will always work, unless:

    • The page contains <meta http-equiv="X-Frame-Options" content="deny">.
    • The frame busting script is implemented as if (top === self) { /* run code*/ }

    In these cases, you have no other option than opening a new tab, read its content, then close it. See chrome.tabs.create and chrome.tabs.remove.

    0 讨论(0)
 看不清?
提交回复
热议问题