Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Safari: Script unable to bypass CSP #296

Closed
silverwind opened this issue May 24, 2016 · 8 comments
Closed

Safari: Script unable to bypass CSP #296

silverwind opened this issue May 24, 2016 · 8 comments
Labels

Comments

@silverwind
Copy link

@silverwind silverwind commented May 24, 2016

Using Tampermonkey 4.1 on Safari 9.1.1, a userscript seems unable to bypass a site's CSP, like for github.com in our case (here's the script). This error is being logged in the console:

GitHub-Dark-Script:0 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src assets-cdn.github.com".

I've been searching for an option menu with the CSP option, but there appears to be none available in the Safari version of this extension.

Ref: StylishThemes/GitHub-Dark-Script#13

@derjanb
Copy link
Member

@derjanb derjanb commented May 29, 2016

According to the CSP spec a CSP should not interfere with extensions and add-ons [1], but Safari doesn't care and stops Tampermonkey when it injects a script into the page.

Unfortunately there is nothing I can do to fix this. So this actually this is more a "can't fix" than a "won't fix".

[1] https://www.w3.org/TR/CSP3/#extensions

@legendtang
Copy link

@legendtang legendtang commented Apr 28, 2018

@derjanb I'm also curious why some adblocker extensions and some extensions that is actually a wrapper for some scripts work like a charm?

@derjanb
Copy link
Member

@derjanb derjanb commented Apr 28, 2018

@legendtang Can you please send a link to such an extension?
I assume they're running the script within the extension context, which is fine until the script uses extension functionality to modify the extension storage and for example installs a second script without user interaction.

@legendtang
Copy link

@legendtang legendtang commented Apr 28, 2018

@derjanb For example, uBlock Origin https://github.com/gorhill/uBlock
In advanced options, they even allow you to change the website dynamically.

@derjanb
Copy link
Member

@derjanb derjanb commented Apr 30, 2018

@legendtang I have issues to find out how to define a custom JavaScript that is injected into the page. Can you please give some guidance or send a backup with that for example injects alert('foo') into every page?

@legendtang
Copy link

@legendtang legendtang commented May 1, 2018

@derjanb They're restricting the use of external scripts and only applying pre-defined rule-based scripts in resource.txt instead. But it will not work in CSP websites for Safari.

Don't be so upset. Below is where exactly I noticed the behaviors from. There're some extensions already achieving that. Safari-FIDO-U2F/Safari-FIDO-U2F#26 (comment) This extensions do successfully load the script on any websites, even for CSP-enabled GitHub. The bridge.js is doing the real magic. You may take a glance of that.

@revolter
Copy link

@revolter revolter commented May 30, 2018

So does this mean that no userscript will ever work in Safari?

@derjanb
Copy link
Member

@derjanb derjanb commented May 30, 2018

So does this mean that no userscript will ever work in Safari?

No, it means a site with a very strict CSP can prevent scripts from running or prevent some features from working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.