Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Firefox] Tampermonkey failed with CSP error (again) #700

Closed
ulrichb opened this issue May 3, 2019 · 13 comments
Closed

[Firefox] Tampermonkey failed with CSP error (again) #700

ulrichb opened this issue May 3, 2019 · 13 comments
Labels

Comments

@ulrichb
Copy link

@ulrichb ulrichb commented May 3, 2019

This is a follow-up of #361 because we got CSP errors in Firefox again.

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

Completely disabling Tampermonkey in the Firefox Add-On manager removes the errors. Note that blacklisting the site, or disabling Tampermonkey in the toolbar does not remove these errors.

Tampermonkey: v4.9.5921 (Firefox)

@Alien426
Copy link

@Alien426 Alien426 commented Jul 30, 2019

I have the same issue. It happens on Twitter. The script is not executed at all.

Tampermonkey is v4.9.5941 on Firefox.

Loading

@Arthaey
Copy link

@Arthaey Arthaey commented Jul 30, 2019

I'm also seeing these errors in Slack. In the meanwhile, I've had to create a separate Firefox profile just for Slack where I turn off security.csp.enable.

Loading

@Frederick888
Copy link

@Frederick888 Frederick888 commented Aug 11, 2019

I've got a script for Twitter which seems to be influenced by this issue as well. But oddly enough, while a "refresh without cache" somehow makes the script work, a normal refresh will break it again. Another strange thing that I noticed was that the script counter got bumped up by 1 every time I refreshed the page.

Turning off security.csp.enable also gave my script the green light to run but the counter issue still persisted. And by the way I didn't encounter this problem using Greasemonkey.

Loading

@eprowe
Copy link

@eprowe eprowe commented Sep 12, 2019

Also experiencing these errors on FF 69 and Tampermonkey v4.9.5941. Trying to inject CSS from Slack Night Mode (Black) into Slack.com generates the following errors on refresh:

TypeError: a is undefined
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
TypeError: a is undefined
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").

Only way to resolve the issue is to turn off security.csp.enable or via the "Experimental" option to "Add Tampermonkey to the sites content CSP". Enabling the "Security" option to "Add Tampermonkey to the site's content security policy (CSP) if there is one" had no effect.

Loading

@evll
Copy link

@evll evll commented Oct 8, 2019

For me "Add Tampermonkey to the sites content CSP" option had no effect either. The only working "workaround" is to switch to Greasemonkey.

Loading

@Arthaey
Copy link

@Arthaey Arthaey commented Oct 25, 2019

This might be solvable now that Firefox seems to have a userScripts API available. See my comment on #418 for details.

Loading

@im-n1
Copy link

@im-n1 im-n1 commented May 10, 2020

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

Loading

@alexolog
Copy link

@alexolog alexolog commented Jun 1, 2020

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

Doing this will leave the user open to cross-site scripting attacks.

Please vote and comment on https://bugzilla.mozilla.org/show_bug.cgi?id=866522

Loading

@alexolog
Copy link

@alexolog alexolog commented Jun 1, 2020

Violentmonkey tries to address the problem:
https://violentmonkey.github.io/posts/inject-into-context/

Loading

@im-n1
Copy link

@im-n1 im-n1 commented Jun 2, 2020

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

Doing this will leave the user open to cross-site scripting attacks.

Please vote and comment on https://bugzilla.mozilla.org/show_bug.cgi?id=866522

That issue is 7 years old. Well good luck convincing Mozilla...

Loading

@derjanb
Copy link
Member

@derjanb derjanb commented Jun 2, 2020

Violentmonkey tries to address the problem:
https://violentmonkey.github.io/posts/inject-into-context/

Evaluating code in extension context is most probably not a permanent solution because of manifest v3 changes.

Loading

@alexolog
Copy link

@alexolog alexolog commented Jun 2, 2020

That issue is 7 years old. Well good luck convincing Mozilla...
You could help, you know. Will take all about 5 minutes of your time, and if enough people do it it may convince Mozilla.

Evaluating code in extension context is most probably not a permanent solution because of manifest v3 changes.

Perhaps. Hopefully Firefox (and other browsers) will not buy into v3 wholesale.
Still, the current "solution" of disabling CSP altogether is sub-optimal.

Loading

@derjanb
Copy link
Member

@derjanb derjanb commented Jun 3, 2020

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

Please see #952 (comment) for a better workaround.

I'm closing this in favor of #952

Loading

@derjanb derjanb closed this Jun 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
9 participants