Harry-Chen
commented
3 years ago 初步判断是链接后没有带 CSRF Token 导致的
Closed LDYang694 closed 3 years ago
Harry-Chen
commented
3 years ago 初步判断是链接后没有带 CSRF Token 导致的
Harry-Chen
commented
3 years ago 此问题较为复杂,公告部分网页并不依赖链接中的 CSRF Token,而是 AJAX 的时候从 document.cookie 里面读取并附加到 API 请求的地址后面。现在的问题是,iframe 里面的网页似乎 document.cookie 是空的。
Harry-Chen
commented
3 years ago Harry-Chen
commented
3 years ago 根据 Chromium 文档 中的说明:
The
chrome.cookiesAPI is able to read and set any kind of cookie, including SameSite cookies. However, a web page embedded in an extension page is considered to be in a third party context for the purposes ofdocument.cookie(JavaScript) accesses. For content scripts, the behavior of SameSite cookies is exactly the same as if the request were initiated from the page on which the content script is running.
意味着确实框架中的脚本读不到 cookie,所以无法正常发起带 CSRF Token 的请求。
网络学堂的实现太扭曲了,似乎没有好的办法。
Harry-Chen
commented
3 years ago 此外,侧栏中的提交作业功能也因为类似原因无法使用了。
Harry-Chen
commented
3 years ago 在 1c325e2c0d26b58aaa97f35b170bf38568957a3a 和 218baf3e869f9f602db5a3f1bcf07b730259c914 中进行了修复,下一个版本的更新会包含这些内容。
Harry-Chen
commented
3 years ago Released in v4.4.3
课程公告的”公告原文“链接点击进去的页面空白,从一侧的课程文件等进去的页面也是空白。 v4.4.2 (build on Harry-XPS at 2021/09/11 10:00:21)
