拒绝加载脚本，因为它违反了以下内容安全策略指令:带有ChromeDriver、Chrome和Selenium的script-src错误

Question

我正试图从“"https://www.practo.com/delhi/doctor/dr-rajeev-puri-ear-nose-throat-ent-specialist?specialization=Ear-Nose-Throat%20(ENT)%20Specialist&practice_id=912154(https://www.practo.com/delhi/doctor/dr-rajeev-puri-ear-nose-throat-ent-specialist?specialization=Ear-Nose-Throat%20(ENT%29%20Specialist&practice_id=912154)”“和"id=722421”链接中刮取电话号码。

如果元素存在，它会刮掉电话号码，否则电话号码是空的。

蜘蛛代码：

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.common.exceptions import NoSuchElementException

options = webdriver.ChromeOptions()
options.add_argument('headless')
options.add_argument('window-size=1200x600')

driver = webdriver.Chrome(chrome_options=options)

driver.get('https://www.practo.com/delhi/doctor/dr-meeka-gulati-dentist-3?specialization=Dentist&practice_id=722421')

WebDriverWait(driver, 10).until(
                            EC.presence_of_element_located((By.XPATH, "//p[@data-a-target='carousel-broadcaster-displayname']"))
                            )
try:
    next1 = driver.find_element_by_xpath('//*[@class="c-btn--light c-btn--center"]')
    next1.click()

    next2 = driver.find_element_by_xpath('//*[@class="u-title-font icon-ic_call_filled u-valign--middle"]')
    next2.click()
    phone_number = driver.find_element_by_class_name('c-vn__number').get_attribute('innerHTML')
except NoSuchElementException:
    phone_number = None

print(phone_number)

输出

DevTools listening on ws://127.0.0.1:60482/devtools/browser/9f226a40-2d1a-4108-9fde-f005b49e60b3
[1206/102937.475:INFO:CONSOLE(0)] "[Report Only] Refused to load the script 
'https://www.googletagmanager.com/gtag/js?id=AW-942004674' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' 'nonce-3RJz12sDPuoV27qS7dcBXLRZawmPobLo' *.practo.com *.practostatic.com *.onesignal.com *.mxpnl.com *.mixpanel.com *.facebook.com *.facebook.net *.twitter.com *.gstatic.com *.googleapis.com *.google.com *.googlesyndication.com *.newrelic.com *.google-analytics.com *.googletagmanager.com *.googleadservices.com *.googlesyndication.com *.doubleclick.net *.survicate.com in.wzrkt.com *.nr-data.net *.newrelic.com *.speedcurve.com *.ampproject.org *.netcore.co.in *.netcoresmartech.com *.criteo.net *.criteo.com https://secure.livechatinc.com". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

", source: https://www.practo.com/delhi/doctor/dr-rajeev-puri-ear-nose-throat-ent-specialist?specialization=Ear-Nose-Throat%20(ENT)%20Specialist&practice_id=912154 (0)
[1206/125829.645:INFO:CONSOLE(33)] "[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' 'nonce-eNRfqc27QHPklLLhavu92zuUGDeEoSZL' *.practo.com *.practostatic.com *.onesignal.com *.mxpnl.com *.mixpanel.com *.facebook.com *.facebook.net *.twitter.com *.gstatic.com *.googleapis.com *.google.com *.googlesyndication.com *.newrelic.com *.google-analytics.com *.googletagmanager.com *.googleadservices.com *.googlesyndication.com *.doubleclick.net *.survicate.com in.wzrkt.com *.nr-data.net *.newrelic.com *.speedcurve.com *.ampproject.org *.netcore.co.in *.netcoresmartech.com *.criteo.net *.criteo.com https://secure.livechatinc.com". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
    ", source: https://www.practo.com/delhi/doctor/dr-rajeev-puri-ear-nose-throat-ent-specialist?specialization=Ear-Nose-Throat%20(ENT)%20Specialist&practice_id=912154 (33)
[1206/125829.829:INFO:CONSOLE(0)] "[Report Only] Refused to frame 'https://9535906.fls.doubleclick.net/' because it violates the following Content Security Policy directive: "frame-src 'self' https://survicate.com *.practo.com *.criteo.net *.criteo.com https://www.facebook.com https://bid.g.doubleclick.net https://secure.livechatinc.com".
", source: https://www.googletagmanager.com/ (0)
[1206/125830.508:INFO:CONSOLE(0)] "[Report Only] Refused to frame 'https://9535906.fls.doubleclick.net/' because it violates the following Content Security Policy directive: "frame-src 'self' https://survicate.com *.practo.com *.criteo.net *.criteo.com https://www.facebook.com https://bid.g.doubleclick.net https://secure.livechatinc.com".
", source: https://www.googletagmanager.com/ (0)

Answer 1

这个错误信息..。

[1206/102937.475:INFO:CONSOLE(0)] "[Report Only] Refused to load the script 
'https://www.googletagmanager.com/gtag/js?id=AW-942004674' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' 'nonce-3RJz12sDPuoV27qS7dcBXLRZawmPobLo' *.practo.com *.practostatic.com *.onesignal.com *.mxpnl.com *.mixpanel.com *.facebook.com *.facebook.net *.twitter.com *.gstatic.com *.googleapis.com *.google.com *.googlesyndication.com *.newrelic.com *.google-analytics.com *.googletagmanager.com *.googleadservices.com *.googlesyndication.com *.doubleclick.net *.survicate.com in.wzrkt.com *.nr-data.net *.newrelic.com *.speedcurve.com *.ampproject.org *.netcore.co.in *.netcoresmartech.com *.criteo.net *.criteo.com https://secure.livechatinc.com". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
.
[1206/125830.508:INFO:CONSOLE(0)] "[Report Only] Refused to frame 'https://9535906.fls.doubleclick.net/' because it violates the following Content Security Policy directive: "frame-src 'self' https://survicate.com *.practo.com *.criteo.net *.criteo.com https://www.facebook.com https://bid.g.doubleclick.net https://secure.livechatinc.com".
", source: https://www.googletagmanager.com/ (0)

...implies表示，ChromeDriver无法启动/生成一个新的浏览上下文，即Chrome浏览器会话。

内容安全策略(CSP)

为了缓解跨站点脚本问题，Chrome的扩展系统实现了内容安全策略(CSP)的概念，它引入了一些严格的策略，使扩展在默认情况下更加安全，并为我们提供了创建和执行可由您的扩展和应用程序加载和执行的内容类型的规则的能力。CSP充当由扩展加载或执行的资源的块/允许列表机制。为扩展定义合理的策略使您能够考虑扩展所需的资源，并与浏览器协商以确保这些资源是您的扩展程序可以访问的唯一资源。这些策略甚至在扩展请求的主机权限之上提供了安全性，充当了额外的保护层。这样的策略是通过HTTP头或元元素定义的。在Chrome的扩展系统中，扩展策略通过扩展的manifest.json文件定义如下：

{
  "content_security_policy": "[POLICY STRING GOES HERE]"
}

放宽内容安全政策

直到Chrome 45，还没有任何机制来放松对执行内联JavaScript的限制。特别是，设置包含“不安全内联”的脚本策略将不会产生任何效果。但是，从Chrome 46开始，可以通过在策略中指定源代码的base64 64编码哈希来允许内联脚本。此哈希必须以使用的哈希算法(sha256、sha384或sha512)作为前缀。这可以通过将http://*添加到style-src和/或script-src中来实现，如下所示：

script-src 'self' http://xxxx 'unsafe-inline' 'unsafe-eval'; 

和/或

style-src 'self' http://xxxx 'unsafe-inline' 'unsafe-eval';

这个酶

但是，我能够轻松地访问网页id=912154，如下所示：

• 代码块： 从options.add_experimental_option('useAutomationExtension'，导入的selenium.webdriver.common.by导入from驱动程序从selenium.webdriver.support.ui导入WebDriverWait从selenium.webdriver.support导入expected_conditions as EC options =webdriver.ChromeOptions(‘window-size=1200x600’)options.add_argument(‘-无头’)options.add_argument“启用-自动化”)selenium.webdriver.support.ui WebDriverWait= webdriver.Chrome(options=options，executable_path=r'C:\Utility\BrowserDrivers\chromedriver.exe') driver.get(“id=912154“”)打印(driver.page_source) driver.quit()
• 控制台输出：

其他考虑因素

确保：

• Selenium被升级到当前级别版本3.141.59。
• ChromeDriver被更新到当前的ChromeDriver v79.0.3945.36级别。
• Chrome被更新到当前的Chrome版本79.0级别。(根据ChromeDriver v79.0发行说明)

参考文献

您可以在用Selenium调用CSP阻止的eval()中找到相关的讨论

Answer 2

实际上，这里有一个chrome协议命令，但是它被标记为实验性的：

driver.execute_cdp_cmd("Page.setBypassCSP", {"enabled": True})