-
Notifications
You must be signed in to change notification settings - Fork 417
-
Notifications
You must be signed in to change notification settings - Fork 417
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tampermonkey userscript doesn't work in chrome because of CSP #593
Comments
Unfortunately Tampermonkey can not change inline CSP meta tags. There is a request to allow extension to modify the request body, but this is not implemented yet (at least in Chrome) You are right that Tampermonkey can trigger a "EvalError: Refused to evaluate a string as JavaScript" warning at such CSP secured pages, but then a workaround is used to inject the scripts. This means scripts should at least start even if some functionality is broken by CSP. And this seems to work here as expected. Just install this script and visit http://test.tampermonkey.net/csp_header.php?scp=default-src+%27self%27+*.tampermonkey.net%3B+img-src+%27self%27+*.tampermonkey.net+data%3A%3Bconnect-src+ws%3A+wss%3A+%27self%27+*.tampermonkey.net%3B&meta=true // ==UserScript==
// @name Meta Tag CSP
// @namespace test
// @include http://test.tampermonkey.net/csp_header.php?scp=default-src+%27self%27+*.tampermonkey.net%3B+img-src+%27self%27+*.tampermonkey.net+data%3A%3Bconnect-src+ws%3A+wss%3A+%27self%27+*.tampermonkey.net%3B&meta=true
// @grant GM_getValue
// @grant GM_setValue
// ==/UserScript==
console.log('running', GM_getValue('ts'));
GM_setValue('ts', Date.now());
eval('console.log("foo");'); As you can see, "running" and a timestamp is logged, but eval fails due to CSP. Note: you can also play with "Inject Mode" "Instant" and |
The first script doesn't quite work as it sometimes allows setting/getting the value and sometimes doesn't same error as in the first post. But setting the @run-at to "document-start" does the trick, as long as the script doesn't try to perform an eval or to create an inline script (since it is forbidden by CSP). Still, the script can be executed if runned at document-start. Thanks for the tip! |
Hey @Loceka, |
@derjanb did this just stop working?
uBO injected scripts (scriptlets) still run fine EDIT: I read later its because they use extension context, never mind I had this convoluted and naive idea for a temporary quick workaround involving Injecting in instant mode and window.stop(),
but I cant create head (document.head = document.createElement('head') nopes) |
Hello,
I've run into an issue with a website declaring a Content Security Policy in a tag :
Even the simplest scripts such as (this is the whole script, so only the meta-data is enough to raise an error):
fails with the error
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' *.<site url>".
It is even worse when I set
// @grant GM_getValue
(or anything but "none") : instead of raising an error 70% of the time, it raises an error 95% of the time.This is what I used for the tests :
In addition, the same script on the same website but with Firefox/Tampermonkey runs well.
So the problem is chrome/chromium related.
I've checked the Tampermonkey security parameters and in both browsers they are set to the default :
Add Tampermonkey to the website content security policy (CSP) if any : yes
(it may not be the exact english version since I have a translation)The text was updated successfully, but these errors were encountered: