Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

很難搞定firefox上的CSP的問題 #2

Open
twtw opened this issue Dec 31, 2017 · 1 comment
Open

很難搞定firefox上的CSP的問題 #2

twtw opened this issue Dec 31, 2017 · 1 comment

Comments

@twtw
Copy link
Owner

twtw commented Dec 31, 2017

做在 bookmarklet 上,chrome 總能快快地成功執行,但在 firefox 上常會有類似的錯誤訊息產生,而無法執行:

Content Security Policy: The page’s settings blocked the loading of a resource at self

查詢到這篇可能是可解決的方向:
Doesn't work because of Content Security Policy - Greasy Forum

Github has what I think must be an unusually strict CSP:

default-src *; script-src assets-cdn.github.com www.google-analytics.com collector-cdn.github.com; object-src assets-cdn.github.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' assets-cdn.github.com; font-src assets-cdn.github.com

The script-src does not allow execution of inline scripts (does not have "unsafe-inline"), so Firefox disables inline scripts in the page. As a result, the userscript that is the subject of this thread can inject the script but Firefox will not execute it.

https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives#Supported_policy_directives

The "solution" is to execute the code from the userscript. I was able to inject a button into the page with an event listener pointing back at the userscript, so at least a basic UI is possible. But I'm not sure about more complicated stuff.

Tested Script:

function yellowbod(){ document.body.style.backgroundColor = "yellow"; } var s=document.createElement("button"); s.addEventListener("click", yellowbod, false); s.appendChild(document.createTextNode("TEST")); document.body.appendChild(s);

Edit: Here's a page to test some of the possible script-src directives against bookmarklets and userscripts:

HTTPS:
https://jeffersonscher.com/res/csp-tester.php

HTTP:
http://jeffersonscher.com/res/csp-tester.php

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant