Content Security Policy (CSP) does not work in Firefox

[h3zjp]

If you set "Modify existing content security policy (CSP) headers" to "Yes" in Firefox, the Content Security Policy will not work.
No problem with Chrome.
Thank you for your understanding.

[derjanb]

Content Security Policy will not work.

What exactly does not work? Do you see error messages?

[daniel-white]

i'm running into the same issue. i get CSP blocked console error messages:

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).

Firefox: 78.10.0esr

[Owyn]

For me - scripts don't work (don't run at all, can't execute even a single line of code)

"Modify existing content security policy (CSP) headers" is "Yes" here

Example url (disqus comments on sites): https://disqus.com/embed/comments/?base=default&f=reaperscans&t_i=87%20https%3A%2F%2Freaperscans.com%2F%3Fpost_type%3Dwp-manga%26p%3D87%26chapter%3Dchapter-79&t_u=https%3A%2F%2Freaperscans.com%2Fseries%2Fnano-machine%2Fchapter-79%2F&t_e=Nano%20Machine&t_d=Nano%20Machine%20-%20Chapter%2079&t_t=Nano%20Machine&s_o=popular#version=19d18907156f056077885e8c891dcf50

other sites with CSP such as github or google seem to work fine tho.

FF: 94.0.2 (64-bit)
TM: v4.13.6136

[derjanb]

A fix is available at 4.18.6163 (xpi)

You have to either configure the userscript to use experimental

// @sandbox JavaScript

or force a non-raw sandbox mode via "Force JavaScript", "JavaScript+DOM" or "Force DOM".

Please install the BETA version or check for BETA version updates at about:addons

For a quick fix please export your settings and scripts as zip or (JSON) file at the "Utilities" tab and import it back at the fixed BETA version.

[Crul]

@derjanb I confirm the new version with // @sandbox JavaScript works for me (Windows 10 - Firefox 101.0).

Thanks!

[Crul]

EDIT: I cannot replciate this, so please ignore.

@derjanb I found one issue with the beta v4.18.6163 (Windows 10 - Firefox 101.0), GM_openInTab(url, { incognito: true }) has stopped working. I also tried to add // @sandbox JavaScript (no idea if it would make any sense, but it was an easy thing to try).

I can confirm that the same code works with (non-beta) v4.17.6161 on the same machine and browser.

Sorry if this is not the best place to write this, let me know if I should open new issue.

[cvzi]

When I add // @sandbox JavaScript, the script works fine if the page is opened in a tab
But if the page is opened in an <iframe>, then document.write('<html>....') does not work. The script just stops at document.write('<html>....'), no error message in the log

[Aphexus]

I have no luck with this. I installed the latest beta and I'm trying to inject jquery in to sites(I have a master script which records some site info and I want to avoid jquery conflicts and only load it if it's not available:

The resource at “https://code.jquery.com/jquery-3.2.1.slim.min.js” was blocked due to its Cross-Origin-Resource-Policy header (or lack thereof). See https://developer.mozilla.org/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)#

I've tried adding // @sandbox Javascript but get an error about sandbox not being valid userscript header(this is ESlint message though).

this is the script I'm using.

if (typeof(jQuery) == 'undefined')
loadScriptByURL("mjquery", "https://code.jquery.com/jquery-3.2.1.slim.min.js", _run); else _run();

function loadScriptByURL(id, url, callback) {
const isScriptExist = document.getElementById(id);

if (!isScriptExist) {
var script = document.createElement("script");
script.type = "text/javascript";
script.src = url;
script.id = id;
script.onload = function () {
if (callback) callback();
};
document.body.appendChild(script);
}

if (isScriptExist && callback) callback();
}

[cvzi]

I think this solution stopped working at some point.

[Crul]

Although I had confirmed previously that it was working for me, at some point it started failing again, but I couldn't get enough info to add anything usefull.