CSP 'script-src' on Riot/Web

[matrix-git1]

I logged in to my account on my Matrix homeserver (Nginx + Synapse) using Riot Web (Browser) (https://riot.im/app/#/login).
I wanted to execute an eval script in the browser bar (Google Chrome 83) like this:

javascript:eval("s=document.createElement('script');s.src='https://yastatic.net/jquery/2.1.4/jquery.min.js';document.getElementsByTagName('head')[0].appendChild(s)")

But I was disappointed. I received the following message:

I checked my Nginx (/etc/nginx/nginx.conf and /etc/nginx/sites-available/[_homeserver_]), but no CSP policy is set there.

I want eval() to work no matter what.
Could Riot Web have prevented me from doing this?

P.C. eval script works on google.com in the same browser.

[t3chguy]

Yes, riot-web includes a CSP policy: https://github.com/vector-im/riot-web/blob/develop/src/vector/index.html#L26-L40

eval does work, the thing that isn't working is yastatic.net is not whitelisted in the CSP.

Adding arbitrary origins would be a security disaster.

google.com gets a shoddy Mozilla Observatory score of D-: https://observatory.mozilla.org/analyze/google.com
compared to Riot which gets an A https://observatory.mozilla.org/analyze/riot.im

[matrix-git1]

@t3chguy Thank you!

But why if I use the Disable Content-Security-Policy plugin (https://chrome.google.com/webstore/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden) or similar plugins my eval-script is not running?

[t3chguy]

You would have to ask the support of that plugin.