Javascript 如何在 Chrome 中强制加载动态的、不安全的内容?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14058789/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to force loading dynamic, insecure content in Chrome?
提问by Rudie
I'm using Jira in https and I have some adjustments I'd like to make with some extra JS. My JS is hosted on an insecure server (no https available).
我在 https 中使用 Jira,我想用一些额外的 JS 做一些调整。我的 JS 托管在不安全的服务器上(没有可用的 https)。
When I dynamically load the insecure JS file by inserting it into the DOM (using a browser extension), Chrome tells me:
当我通过将不安全的 JS 文件插入到 DOM(使用浏览器扩展)来动态加载它时,Chrome 告诉我:
[blocked] The page at
https://jiraserver/browseran insecure content fromhttp://myserver/jira.js.
[已阻止] 页面
https://jiraserver/browse运行了来自 的不安全内容http://myserver/jira.js。
I can see how this is very secure and all, but I don't care. I want to load that insecure JS file. How can I tell Chrome to trust me and just do what I say?
我可以看到这是非常安全的,但我不在乎。我想加载那个不安全的 JS 文件。如何让 Chrome 相信我并按照我说的做?
My insertion method (in the extension code):
我的插入方法(在扩展代码中):
document.body.appendChild((function(s){s.src='http://myserver/jira.js';return s;})(document.createElement('script')));
采纳答案by ariera
According to this Chrome Support Q&Ayou can launch your Chrome with the following command line flag to prevent Chrome from checking for insecure content:
根据此 Chrome 支持问答,您可以使用以下命令行标志启动 Chrome,以防止 Chrome 检查不安全的内容:
--allow-running-insecure-content
--allow-running-insecure-content
Here is some documentationon how to run Chrome with command flags
回答by josh3736
Chrome simply will not load an insecure script in a secure page.
Chrome 根本不会在安全页面中加载不安全的脚本。
Does your jira.js haveto be loaded from a server? The best way to inject it into the page would be by including it in your extension bundle.
您的 jira.js 是否必须从服务器加载?将其注入页面的最佳方法是将其包含在您的扩展包中。
var s = document.createElement('script');
s.src = chrome.extension.getURL("jira.js");
s.onload = function() {
this.parentNode.removeChild(this);
};
(document.head||document.documentElement).appendChild(s);
If you mustload it from a server, I suppose your extension could make a XHR request for the script, then inject the response into the page.
如果您必须从服务器加载它,我想您的扩展程序可以对脚本发出 XHR 请求,然后将响应注入页面。
// make a XHR request, then...
var s = document.createElement('script');
s.textContent = codeFromXHR;
(document.head||document.documentElement).appendChild(s);
s.parentNode.removeChild(s);
回答by programaths
I had the same problem: Our client link a CSS file and js file hosted in our server on a domain which is not secure.
我遇到了同样的问题:我们的客户端将托管在我们服务器上的 CSS 文件和 js 文件链接到一个不安全的域上。
We will solve it by using Amazon CloudFront. They server HTTPS using their certificates which is verified.
我们将使用 Amazon CloudFront 解决它。他们使用经过验证的证书来提供 HTTPS 服务。
That's not a bad solution for use since CDN is often a good idea and these resources are somewhat static. (The CSS file is tailored for each client and is in fact generated but a sane TTL can be configured and the CDN flushed if required)
这不是一个糟糕的使用解决方案,因为 CDN 通常是一个好主意,而且这些资源在某种程度上是静态的。(CSS 文件是为每个客户端量身定制的,实际上是生成的,但可以配置合理的 TTL 并在需要时刷新 CDN)
Note that the CDN solution may even be more affordable than actually buying a certificate depending on your data load.
请注意,根据您的数据负载,CDN 解决方案甚至可能比实际购买证书更实惠。
回答by Amit Garg
I have faced the same issue and find that if we are logged in to our google account in chrome then Chrome stop loading the insecure content in https.
我遇到了同样的问题,发现如果我们在 chrome 中登录到我们的谷歌帐户,那么 Chrome 会停止在 https 中加载不安全的内容。
If we use incognito windowin to load the website which has insecure content then it will work.
如果我们使用隐身窗口加载包含不安全内容的网站,那么它将起作用。
