最近有很多 Chrome 浏览器用户突然发现设置选项提示“由贵单位管理”,并且还可能在操作中心里弹出这个通知,或者在“下载”页面中出现“您的浏览器由所属组织管理”,或者在“关于 Google Chrome(G)”页面中出现“您的浏览器受管理”。如果是企业用户遇到这个通知可能还能理解但不少个人用户也遇到这种情况,使用的并非谷歌浏览器企业版。


Chrome Extension:Content Scripts

Content scripts are JavaScript files that run in the context of web pages. By using the standard?Document Object Model?(DOM), they can read details of the web pages the browser visits, or make changes to them.

Here are some examples of what content scripts can do:

  • Find unlinked URLs in web pages and convert them into hyperlinks
  • Increase the font size to make text more legible
  • Find and process?microformat?data in the DOM

However, content scripts have some limitations. They?cannot:

These limitations aren't as bad as they sound. Content scripts can?indirectly?use the chrome.* APIs, get access to extension data, and request extension actions by exchanging?messages?with their parent extension. Content scripts can also make?cross-site XMLHttpRequests?to the same sites as their parent extensions, and they cancommunicate with web pages?using the shared DOM. For more insight into what content scripts can and can't do, learn about the?execution environment.

If your content script's code should always be injected, register it in the?extension manifest?using the?content_scripts?field, as in the following example.

"name": "My extension",
"content_scripts": [
"matches": ["*"],
"css": ["mystyles.css"],
"js": ["jquery.js", "myscript.js"]





If you want to inject the code only sometimes, use the?permissions?field instead, as described in?Programmatic injection.

"name": "My extension",
"permissions": [
"tabs", "*"



Using the?content_scripts?field, an extension can insert multiple content scripts into a page; each of these content scripts can have multiple JavaScript and CSS files. Each item in the?content_scripts?array can have the following properties:

Name Type Description
matches array of strings Required.?Specifies which pages this content script will be injected into. See?Match Patterns?for more details on the syntax of these strings and?Match patterns and globs?for information on how to exclude URLs.
exclude_matches array of strings Optional.?Excludes pages that this content script would otherwise be injected into. See?Match Patternsfor more details on the syntax of these strings and?Match patterns and globs?for information on how to exclude URLs.
match_about_blank boolean Optional.?Whether to insert the content script on?about:blank?and?about:srcdoc. Content scripts will only be injected on pages when their inherit URL is matched by one of the declared patterns in thematches?field. The inherit URL is the URL of the document that created the frame or window.
Content scripts cannot be inserted in sandboxed frames.Defaults to?false.
css array of strings Optional.?The list of CSS files to be injected into matching pages. These are injected in the order they appear in this array, before any DOM is constructed or displayed for the page.
js array of strings Optional.?The list of JavaScript files to be injected into matching pages. These are injected in the order they appear in this array.
run_at string Optional.?Controls when the files in?js?are injected. Can be "document_start", "document_end", or "document_idle". Defaults to "document_idle".

In the case of "document_start", the files are injected after any files from?css, but before any other DOM is constructed or any other script is run.

In the case of "document_end", the files are injected immediately after the DOM is complete, but before subresources like images and frames have loaded.

In the case of "document_idle", the browser chooses a time to inject scripts between "document_end" and immediately after the?window.onload?event fires. The exact moment of injection depends on how complex the document is and how long it is taking to load, and is optimized for page load speed.

Note:?With "document_idle", content scripts may not necessarily receive the?window.onload?event, because they may run after it has already fired. In most cases, listening for the?onload?event is unnecessary for content scripts running at "document_idle" because they are guaranteed to run after the DOM is complete. If your script definitely needs to run after?window.onload, you can check if?onload?has already fired by using the?document.readyState?property.

all_frames boolean Optional.?Controls whether the content script runs in all frames of the matching page, or only the top frame.

Defaults to?false, meaning that only the top frame is matched.

include_globs array of string Optional.?Applied after?matches?to include only those URLs that also match this glob. Intended to emulate the?@include?Greasemonkey keyword. See?Match patterns and globs?below for more details.
exclude_globs array of string Optional.?Applied after?matches?to exclude URLs that match this glob. Intended to emulate the?@excludeGreasemonkey keyword. See?Match patterns and globs?below for more details.

The content script will be injected into a page if its URL matches any?matches?pattern and any?include_globspattern, as long as the URL doesn't also match an?exclude_matches?or?exclude_globs?pattern. Because the?matches?property is required,?exclude_matches,?include_globs, and?exclude_globs?can only be used to limit which pages will be affected.

For example, assume?matches?is?["http://**"]:

  • If?exclude_matches?is?["*://*/*business*"], then the content script would be injected into "" but not into "".
  • If?include_globs?is?["**"], then the content script would be injected into "http:/" and "" but not into "".
  • If?exclude_globs?is?["*science*"], then the content script would be injected into "" but not into "" or "".

Glob properties follow a different, more flexible syntax than?match patterns. Acceptable glob strings are URLs that may contain "wildcard" asterisks and question marks. The asterisk (*) matches any string of any length (including the empty string); the question mark (?) matches any single character.

For example, the glob "http://???*" matches any of the following:

  • ""
  • ""

However, it does?not?match the following:

  • ""
  • ""
  • ""

Inserting code into a page programmatically is useful when your JavaScript or CSS code shouldn't be injected into every single page that matches the pattern — for example, if you want a script to run only when the user clicks a browser action's icon.

To insert code into a page, your extension must have?cross-origin permissions?for the page. It also must be able to use the?chrome.tabs?module. You can get both kinds of permission using the manifest file'spermissions?field.

Once you have permissions set up, you can inject JavaScript into a page by calling?tabs.executeScript. To inject CSS, use?tabs.insertCSS.

The following code (from the?make_page_red?example) reacts to a user click by inserting JavaScript into the current tab's page and executing the script.

When the browser is displaying an HTTP page and the user clicks this extension's browser action, the extension sets the page's?bgcolor?property to 'red'. The result, unless the page has CSS that sets the background color, is that the page turns red.

Usually, instead of inserting code directly (as in the previous sample), you put the code in a file. You inject the file's contents like this:

Content scripts execute in a special environment called an?isolated world. They have access to the DOM of the page they are injected into, but not to any JavaScript variables or functions created by the page. It looks to each content script as if there is no other JavaScript executing on the page it is running on. The same is true in reverse: JavaScript running on the page cannot call any functions or access any variables defined by content scripts.

For example, consider this simple page: