Page with CSP breaks puppeteer #1229
Comments
|
+1 for ability to disable CSP. Use case: I'm using puppeteer as a post-build crawler to generate a static dump of my SPA. When crawling, I'd like to inline critical CSS, and add a CSP directive for the CSS text hash. While I'm at it, I want to change the API server from |
…violate Content Security Policy (puppeteer#1229)
|
+1 for ability to disable CSP. Thank you. |
|
In order to disable CSP, it's not a complete solution but adding I'm working on that idea, but it will be probably difficult to completely disable CSP with current Chrome DevTool Protocol because I don't find APIs to intercept/modify response headers to do that yet. |
|
Here's my workaround: import fetch from 'node-fetch'
const requestInterceptor = async (request) => {
const url = request.url()
const requestHeaders = request.headers()
const acceptHeader = requestHeaders.accept || ''
if (url.includes('some-website-with-csp.com') && (acceptHeader.includes('text/html'))) {
const cookiesList = await page.cookies(url)
const cookies = cookiesList.map(cookie => `${cookie.name}=${cookie.value}`).join('; ')
delete requestHeaders['x-devtools-emulate-network-conditions-client-id']
if (requestHeaders.Cookie) {
requestHeaders.cookie = requestHeaders.Cookie
delete requestHeaders.Cookie
}
const theseHeaders = Object.assign({'cookie': cookies}, requestHeaders, {'accept-language': 'en-US,en'})
const init = {
body: request.postData(),
headers: theseHeaders,
method: request.method(),
follow: 20,
}
const result = await fetch(
url,
init,
)
const resultHeaders = {}
result.headers.forEach((value, name) => {
if (name.toLowerCase() !== 'content-security-policy') {
resultHeaders[name] = value
} else {
console.log('CSP', `omitting CSP`, {originalCSP: value})
}
})
const buffer = await result.buffer()
await request.respond({
body: buffer,
resultHeaders,
status: result.status,
})
} else {
request.continue();
}
}
await page.setRequestInterception(true)
page.on('request', requestInterceptor)Related: #599 |
|
@niieani, I'm getting requestStory undefined. is it something I'm missing or where does that variable come from? |
|
@marcelmattsson apologies, that was just my logger I forgot to remove before posting (I use |
|
haha no worries, guess I'm doing something else wrong then since I'm still getting the EvalError even though I also see the console log telling me its omitting CSP. |
|
@marcelmattsson perhaps some TypeScript leftovers were causing it (I'm assuming you're not using it)? I've removed all the types from my snippet now (I think so at least). |
|
Was never CSP in the headers at all... was meta tags with CSP who was the culprit. |
|
+1 CSP breaks my flow. :( no workarounds as for now. |
|
Hi @XBeg9, doesn't my workaround work for you? |
This patch adds a test to fixate page.waitForFunction behavior for pages with CSP. References #1229.
This roll includes: - https://crrev.com/547982 - v8 roll that includes [fixed Runtime.callFunctionOn](https://chromium.googlesource.com/v8/v8/+/1637818671c66333e3a3cf1b96a7326ba163f8b5) method The upstream fix makes it possible to run frame.waitFor* functions on pages with strict CSP. References puppeteer#1229.
This roll includes: - https://crrev.com/547982 - v8 roll that includes [fixed Runtime.callFunctionOn](https://chromium.googlesource.com/v8/v8/+/1637818671c66333e3a3cf1b96a7326ba163f8b5) method The upstream fix makes it possible to run frame.waitFor* functions on pages with strict CSP. References #1229.
This patch adds a test that Page.evaluateOnNewDocument works with CSP: there's been some concerns on the bugtracker before. References puppeteer#1229
This patch adds a test that Page.evaluateOnNewDocument works with CSP: there's been some concerns on the bugtracker before. References #1229
This patch teaches Page.addScriptTag and Page.addStyleTag to throw an error when blocked by CSP. References puppeteer#1229.
This patch teaches Page.addScriptTag and Page.addStyleTag to throw an error when blocked by CSP. References #1229.
This roll includes: - https://crrev.com/548598 - DevTools: implement Page.setBypassCSP method - https://crrev.com/548690 - DevTools: introduce Page.navigatedWithinDocument event References puppeteer#1229, puppeteer#257.
This roll includes: - https://crrev.com/548598 - DevTools: implement Page.setBypassCSP method - https://crrev.com/548690 - DevTools: introduce Page.navigatedWithinDocument event References #1229, #257.
This patch introduces `page.setBypassCSP` method that allows clients to ignore Content-Security-Policy for a given page. Fixes puppeteer#1229.
This patch introduces `page.setBypassCSP` method that allows clients to ignore Content-Security-Policy for a given page. Fixes #1229.
|
Thanks @niieani — your solution inspired this simplified approach for a backstopjs usecase garris/BackstopJS@67801c2 @aslushnikov looking forward to #2324! 🎁 |
|
Another workaround (without removing CSP from the entire page, which depending on security requirements of your use may leave the site too wide open) is to parse the CSP script-src directive, and pick a URL that is allowed. Then in your injected script tag create a fake URL from the origin allowed by CSP, for example, if CSP script-src looks like:
then inject a script tag with the following src:
then create a fake "virtual proxy" to intercept requests for:
and keep an internal map of {
['my-fake-path/my-script-001.js']: {
headers: { ... },
responseBody: '...'
}
}and serve those headers and body in response to the request you intercepted from your injected script tag. |
|
By setting the flag page.setBypassCSP to true work for me. |
A page with CSP will break some of puppeteer methods, such as
page.addScriptTag. At the very least, we should fail gracefully.It would be ideal to have a way to disable CSP altogether.
Reported in: #1091
The text was updated successfully, but these errors were encountered: