New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Safari: Script unable to bypass CSP #296

Closed
silverwind opened this Issue May 24, 2016 · 8 comments

Comments

Projects
None yet
4 participants
@silverwind

silverwind commented May 24, 2016

Using Tampermonkey 4.1 on Safari 9.1.1, a userscript seems unable to bypass a site's CSP, like for github.com in our case (here's the script). This error is being logged in the console:

GitHub-Dark-Script:0 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src assets-cdn.github.com".

I've been searching for an option menu with the CSP option, but there appears to be none available in the Safari version of this extension.

Ref: StylishThemes/GitHub-Dark-Script#13

@derjanb

This comment has been minimized.

Show comment
Hide comment
@derjanb

derjanb May 29, 2016

Collaborator

According to the CSP spec a CSP should not interfere with extensions and add-ons [1], but Safari doesn't care and stops Tampermonkey when it injects a script into the page.

Unfortunately there is nothing I can do to fix this. So this actually this is more a "can't fix" than a "won't fix".

[1] https://www.w3.org/TR/CSP3/#extensions

Collaborator

derjanb commented May 29, 2016

According to the CSP spec a CSP should not interfere with extensions and add-ons [1], but Safari doesn't care and stops Tampermonkey when it injects a script into the page.

Unfortunately there is nothing I can do to fix this. So this actually this is more a "can't fix" than a "won't fix".

[1] https://www.w3.org/TR/CSP3/#extensions

@legendtang

This comment has been minimized.

Show comment
Hide comment
@legendtang

legendtang Apr 28, 2018

@derjanb I'm also curious why some adblocker extensions and some extensions that is actually a wrapper for some scripts work like a charm?

legendtang commented Apr 28, 2018

@derjanb I'm also curious why some adblocker extensions and some extensions that is actually a wrapper for some scripts work like a charm?

@derjanb

This comment has been minimized.

Show comment
Hide comment
@derjanb

derjanb Apr 28, 2018

Collaborator

@legendtang Can you please send a link to such an extension?
I assume they're running the script within the extension context, which is fine until the script uses extension functionality to modify the extension storage and for example installs a second script without user interaction.

Collaborator

derjanb commented Apr 28, 2018

@legendtang Can you please send a link to such an extension?
I assume they're running the script within the extension context, which is fine until the script uses extension functionality to modify the extension storage and for example installs a second script without user interaction.

@legendtang

This comment has been minimized.

Show comment
Hide comment
@legendtang

legendtang Apr 28, 2018

@derjanb For example, uBlock Origin https://github.com/gorhill/uBlock
In advanced options, they even allow you to change the website dynamically.

legendtang commented Apr 28, 2018

@derjanb For example, uBlock Origin https://github.com/gorhill/uBlock
In advanced options, they even allow you to change the website dynamically.

@derjanb

This comment has been minimized.

Show comment
Hide comment
@derjanb

derjanb Apr 30, 2018

Collaborator

@legendtang I have issues to find out how to define a custom JavaScript that is injected into the page. Can you please give some guidance or send a backup with that for example injects alert('foo') into every page?

Collaborator

derjanb commented Apr 30, 2018

@legendtang I have issues to find out how to define a custom JavaScript that is injected into the page. Can you please give some guidance or send a backup with that for example injects alert('foo') into every page?

@legendtang

This comment has been minimized.

Show comment
Hide comment
@legendtang

legendtang May 1, 2018

@derjanb They're restricting the use of external scripts and only applying pre-defined rule-based scripts in resource.txt instead. But it will not work in CSP websites for Safari.

Don't be so upset. Below is where exactly I noticed the behaviors from. There're some extensions already achieving that. Safari-FIDO-U2F/Safari-FIDO-U2F#26 (comment) This extensions do successfully load the script on any websites, even for CSP-enabled GitHub. The bridge.js is doing the real magic. You may take a glance of that.

legendtang commented May 1, 2018

@derjanb They're restricting the use of external scripts and only applying pre-defined rule-based scripts in resource.txt instead. But it will not work in CSP websites for Safari.

Don't be so upset. Below is where exactly I noticed the behaviors from. There're some extensions already achieving that. Safari-FIDO-U2F/Safari-FIDO-U2F#26 (comment) This extensions do successfully load the script on any websites, even for CSP-enabled GitHub. The bridge.js is doing the real magic. You may take a glance of that.

@revolter

This comment has been minimized.

Show comment
Hide comment
@revolter

revolter May 30, 2018

So does this mean that no userscript will ever work in Safari?

revolter commented May 30, 2018

So does this mean that no userscript will ever work in Safari?

@derjanb

This comment has been minimized.

Show comment
Hide comment
@derjanb

derjanb May 30, 2018

Collaborator

So does this mean that no userscript will ever work in Safari?

No, it means a site with a very strict CSP can prevent scripts from running or prevent some features from working.

Collaborator

derjanb commented May 30, 2018

So does this mean that no userscript will ever work in Safari?

No, it means a site with a very strict CSP can prevent scripts from running or prevent some features from working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment