[Firefox] Tampermonkey failed with CSP error (again)

[ulrichb]

This is a follow-up of #361 because we got CSP errors in Firefox again.

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

Completely disabling Tampermonkey in the Firefox Add-On manager removes the errors. Note that blacklisting the site, or disabling Tampermonkey in the toolbar does not remove these errors.

Tampermonkey: v4.9.5921 (Firefox)

[Alien426]

I have the same issue. It happens on Twitter. The script is not executed at all.

Tampermonkey is v4.9.5941 on Firefox.

[Arthaey]

I'm also seeing these errors in Slack. In the meanwhile, I've had to create a separate Firefox profile just for Slack where I turn off security.csp.enable.

[Frederick888]

I've got a script for Twitter which seems to be influenced by this issue as well. But oddly enough, while a "refresh without cache" somehow makes the script work, a normal refresh will break it again. Another strange thing that I noticed was that the script counter got bumped up by 1 every time I refreshed the page.

Turning off security.csp.enable also gave my script the green light to run but the counter issue still persisted. And by the way I didn't encounter this problem using Greasemonkey.

[eprowe]

Also experiencing these errors on FF 69 and Tampermonkey v4.9.5941. Trying to inject CSS from Slack Night Mode (Black) into Slack.com generates the following errors on refresh:

TypeError: a is undefined
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
TypeError: a is undefined
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").

Only way to resolve the issue is to turn off security.csp.enable or via the "Experimental" option to "Add Tampermonkey to the sites content CSP". Enabling the "Security" option to "Add Tampermonkey to the site's content security policy (CSP) if there is one" had no effect.

[evll]

For me "Add Tampermonkey to the sites content CSP" option had no effect either. The only working "workaround" is to switch to Greasemonkey.

[Arthaey]

This might be solvable now that Firefox seems to have a userScripts API available. See my comment on #418 for details.

[im-n1]

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

[alexolog]

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

Doing this will leave the user open to cross-site scripting attacks.

Please vote and comment on https://bugzilla.mozilla.org/show_bug.cgi?id=866522

[alexolog]

Violentmonkey tries to address the problem:
https://violentmonkey.github.io/posts/inject-into-context/

[im-n1]

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

Doing this will leave the user open to cross-site scripting attacks.

Please vote and comment on https://bugzilla.mozilla.org/show_bug.cgi?id=866522

That issue is 7 years old. Well good luck convincing Mozilla...

[derjanb]

Violentmonkey tries to address the problem:
https://violentmonkey.github.io/posts/inject-into-context/

Evaluating code in extension context is most probably not a permanent solution because of manifest v3 changes.

[alexolog]

That issue is 7 years old. Well good luck convincing Mozilla...
You could help, you know. Will take all about 5 minutes of your time, and if enough people do it it may convince Mozilla.

Evaluating code in extension context is most probably not a permanent solution because of manifest v3 changes.

Perhaps. Hopefully Firefox (and other browsers) will not buy into v3 wholesale.
Still, the current "solution" of disabling CSP altogether is sub-optimal.

[derjanb]

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

Please see #952 (comment) for a better workaround.

I'm closing this in favor of #952