-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can you set up per site rules? as to whether this would be toggled on for certain sites, and off for everything else not whitelisted? #4
Comments
Hi, Phil |
like set up a rules setting, to allow certain web pages / domains to have CSP enabled for those specific sites. |
I know this is old but I would also like to se per site rules. For Instance I use tampermonkey script to collect some data from a web page with a very long list of links. I also use GM_xmlhttpRequest to open those links and gather needed data. Before enforcement of CSP I've could create an iframe on that web page or create new page and load gathered data to that frame. Now that's impossible. So ability to disable CSP just for that web page would help me alot, without compromising security on other "dangerous" pages. |
I see, so you are purposefully injecting a script onto a page to load in your own resources? In this case it's at least the frame-src policy that's denying your use case. You'd like to config CSP to be disabled for a specific page, so you don't have to remember to disable it globally and re-enable it again. It sounds like a reasonable request. It could looks similar to uMatrix in how it displays per domain configuration. |
Yes, exactly. Although Tampermonkey has his own option to add itself to sites CSP, for some reason Frame-src policy prevents me from loading iframe.src = 'data:text/html;charset=utf-8,...' and document.getElementsByTagName ('body')[0].appendChild(iframe); And when CSP is disabled, this works. |
No description provided.
The text was updated successfully, but these errors were encountered: