UnXSS

UnXSS插件简介

UnXSS插件描述

Modify  delete websites security headers on the fly.

• If you want to load a website in an iframe,  that website uses "XFrameOptions: SAMEORIGIN", Chrome will refuse to show the website. Use the "Delete XFrameOptions header" option to have Chrome igne that restriction.

• If you want to call a feign AJAX endpoint from a website that has "ContentSecurityPolicy: ..." set to disallow wildcard scriptsrc, use the "Delete ContentSecurityPolicy header" to allow running any script on that page.

• If you want to call out to an API endpoint that doesnt specify itself as CORSfriendly, enable the "Add AccessControlAllowOrigin: * header"  "Add AccessControlAllowMethods: * header" options.

Each restriction can be disabled  enabled individually,  a list of checkboxes on the configuration page clearly indicates which restrictions are disabled.

Source code: https://github.com/chbrown/chromeunxss
                                

UnXSS插件离线安装方法

1.首先用户点击谷歌浏览器右上角的自定义及控制按钮，在下拉框中选择设置。

2.在打开的谷歌浏览器的扩展管理器最左侧选择扩展程序或直接输入：chrome://extensions/

3.找到自己已经下载好的Chrome离线安装文件xxx.crx，然后将其从资源管理器中拖动到Chrome的扩展管理界面中，这时候用户会发现在扩展管理器的中央部分中会多出一个”拖动以安装“的插件按钮。

4.下载 UnXSSChrome插件v0.0.4版本到本地。

5.勾选开发者模式，点击加载已解压的扩展程序，将文件夹选择即可安装插件。

注意：最新版本的chrome浏览器直接拖放安装时会出现“程序包无效CRX-HEADER-INVALID”的报错信息，参照这篇文章即可解决