frank-lsf · December 7, 2013 23:43 · njradford · Jul 31, 2014
diff --git a/why-facebook-sdk-doesnt-work-for-chrome-ext b/why-facebook-sdk-doesnt-work-for-chrome-ext
 The official way to import the Facebook JavaScript SDK is like this:

    // Load the SDK asynchronously
      (function(){
         // If we've already installed the SDK, we're done
         if (document.getElementById('facebook-jssdk')) {return;}

         // Get the first script element, which we'll use to find the parent node
         var firstScriptElement = document.getElementsByTagName('script')[0];

         // Create a new script element and set its id
         var facebookJS = document.createElement('script'); 
         facebookJS.id = 'facebook-jssdk';

         // Set the new script's source to the source of the Facebook JS SDK
         facebookJS.src = '//connect.facebook.net/en_US/all.js';

         // Insert the Facebook JS SDK into the DOM
         firstScriptElement.parentNode.insertBefore(facebookJS, firstScriptElement);
       }());
       
 The process fetches a JavaScript string from Facebook, and then evaluates it and injects it to the DOM Tree. In fact, the SDK itself (`all.js`) also involves the process of evaluating JavaScript strings, so loading the JS through a standard `<script>` HTML tag cannot completely bypass the issue.

 But according to Google Chrome requires its extensions to comply with the [Content Security Policy][1], and explicitly states that the inline evaluation of JavaScript is strictly prohibited (See Google Chrome Developer's Documentation http://developer.chrome.com/extensions/contentSecurityPolicy.html). We believe the policy is due to the security concern that dangerous scripts might be executed if inline evaluation of, say, user-input of scripts, is allowed.

 We noticed that Chrome also prohibits the rendering of an iFrame from a non-HTTPS source. [Quote: Currently, we allow whitelisting origins with the following schemes: HTTPS, chrome-extension, and chrome-extension-resource.] And yet Facebook API creates an iFrame from a http source for the login window. We believe this is also due to a security concern that HTTP requests are too vulnerable to man-in-the-middle attack, and a malicious iframe source could lead to potential danger.

 然后那个Chrome提供了修改CSP的方法，但是上面说的两个硬要求是不能override的。


  [1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#syntax
	The official way to import the Facebook JavaScript SDK is like this:

	// Load the SDK asynchronously
	(function(){
	// If we've already installed the SDK, we're done
	if (document.getElementById('facebook-jssdk')) {return;}

	// Get the first script element, which we'll use to find the parent node
	var firstScriptElement = document.getElementsByTagName('script')[0];

	// Create a new script element and set its id
	var facebookJS = document.createElement('script');
	facebookJS.id = 'facebook-jssdk';

	// Set the new script's source to the source of the Facebook JS SDK
	facebookJS.src = '//connect.facebook.net/en_US/all.js';

	// Insert the Facebook JS SDK into the DOM
	firstScriptElement.parentNode.insertBefore(facebookJS, firstScriptElement);
	}());

	The process fetches a JavaScript string from Facebook, and then evaluates it and injects it to the DOM Tree. In fact, the SDK itself (`all.js`) also involves the process of evaluating JavaScript strings, so loading the JS through a standard `<script>` HTML tag cannot completely bypass the issue.

	But according to Google Chrome requires its extensions to comply with the [Content Security Policy][1], and explicitly states that the inline evaluation of JavaScript is strictly prohibited (See Google Chrome Developer's Documentation http://developer.chrome.com/extensions/contentSecurityPolicy.html). We believe the policy is due to the security concern that dangerous scripts might be executed if inline evaluation of, say, user-input of scripts, is allowed.

	We noticed that Chrome also prohibits the rendering of an iFrame from a non-HTTPS source. [Quote: Currently, we allow whitelisting origins with the following schemes: HTTPS, chrome-extension, and chrome-extension-resource.] And yet Facebook API creates an iFrame from a http source for the login window. We believe this is also due to a security concern that HTTP requests are too vulnerable to man-in-the-middle attack, and a malicious iframe source could lead to potential danger.

	然后那个Chrome提供了修改CSP的方法，但是上面说的两个硬要求是不能override的。


	[1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#syntax