-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A script tag injected into a page with a Content Security Policy that rejects inline scripts will not run [WORKING AS INTENDED] #2046
Comments
http://en.wikipedia.org/wiki/Content_Security_Policy GitHub forbids scripts that don't originate from their CDN (assets-cdn.github.com, collector-cdn.github.com). Consequently, Firefox will refuse to execute inline scripts. It certainly would be nice if Greasemonkey scripts weren't affected by CSP restrictions. |
What's the issue with just executing the code or using |
AFAIK there's no way to bypass CSP for <script> tags that happened to come from a user script, without allowing them from anywhere (which is bad). So this is probably just WAI. |
"AFAIK there's no way to bypass CSP for" Your comment was cut off. Is it not possible to allow greasemonkey scripts to bypass CSP ? |
I hope GreaseMonkey can do something about this. Bookmarklets and addon's shouldn't be affected by CSP Firefox does have about:config setting to turn off CSP completely but that is a security risk and userscript author's shouldn't be asking users to change browser settings for script to run correctly. Can't GreaseMonkey addon edit response header to include GreaseMonkey scripts? |
A <script> tag is a <script> tag. Can't enable one without enabling them all. I don't think I'm interested in building features with the sole purpose of defeating intentional security measures. |
Aha .. don't try to type the word "script" surrounded by angle brackets when trying to refer to that kind of HTML tag. Anyway: A script tag in the page is a script tag in the page. I'd be surprised if there was a way to force one of them to run, in violation of the CSP rules set, without forcing all of them to run. I'm also generally not interested in building features whose sole purpose is to defeat intentional/useful security mechanisms. |
pdf.js apparently just turns off CSP. Unfortunately, I'm not sure how we'd do this for a script since we don't have access to the request object during injection as far as I can tell. Maybe this could be done extension-wide? If we did, would that kill CSP everywhere (or at least on any page with a script injected into it)? |
This issue was added to "pony". What does that mean? Getting to topic at hand, yes this requires changes made by extension not script. If CSP is turned off completely, then it would be defeating intentional security mechanisms against things like XSS. But greasemonkey scripts, like bookmarklets, are mostly used to make intentional changes. The security risk comes from installing the greasemonkey script, CSP doesn't help in that regard for greasemonkey. Can't api be added "@grant CSP-inline" which would alter response header add "inline" to CSP? The biggest issue is that greasemonkey disabled unsafeWindow and so injecting scripts into site was easiest alternative but now that's becoming a problem as sites use CSP. |
I do not believe there is a way to securely disable CSP only for certain scripts. Look at the example in the original report. There is no request nor response to set a header on. And to repeat: I do not intend to create new features whose sole purpose is to defeat intentional security measures. |
@arantius It should work look here: http://i.imgur.com/Kmx7yX9.png
Direct link: https://www.w3.org/TR/CSP3/#extensions Do you think you can do do something about it @arantius ? |
@pyhedgehog Does userCSP permit to change relax CSP rules on site like Tweeter or Github ? |
Seems it's not updated for newer Fx. |
I will try it next week when I will be a little bit less busy to see how it work. It would really be useful if we can't bypass CSP based on website for power users. Disabling it for all site is to dangerous IMO, I know that on Chrome there is at least 2 addons to disable CSP based on domain name: https://chrome.google.com/webstore/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden AND https://chrome.google.com/webstore/detail/content-security-policy-o/lhieoncdgamiiogcllfmboilhgoknmpi It would be really useful if @arantius integrate it in GM for power users since being able to control Userscript and addons fully is part of the W3C Working Draft, 21 June 2016. Regards 😄 |
@janekptacijarabaci How I can test your fork ? I don't see any new release. ❓ BTW: Big Thanks for "fixing" the CSP to be able to put inline script in all website. I will be able to use back the web as I like it 😄 Regards ! |
@mikhoul All (i.e. changed) files are in the separate pack (see above the test branch)
|
Thanks a lot for the help ! 😄 I'm not familiar with Github except to leave comment and other basic things. I can do many things in JS but I never took a basic course to know the fundamentals... so sometime I lost lot of time to understand basic things. My next goal is to stop and follow a basic JS course online to stop to be stuck with basic issues ;-) How I can know if your fork will be integrated in the main branch ? Like I told you I'm not familiar with Github over "basic" use. I'd like to be able to follow to know when you will make an update to apply it on my side. Right now I applied it on the top of the latest beta, if I see something "wrong" I will let you know, later this week after I will finish a project I will have more time to test the CSP on site that restrict "inline JS". Thanks again for your time, it's really appreciated. 😋 |
Maybe never will be... :-) |
@janekptacijarabaci Will you update your fork ? I'd don't mind to update manually the XPI but I 'd like to know when you update your version 😆 Regards ! 🐸 |
This will not be added to my fork (certainly not in the near future). This is just a thing for testing. |
@janekptacijarabaci Is there a way I can add it "safely" manually at each future release ? If you can provide me the steps to "inject" the change that allow CSP to be allowed I would be grateful. Regards ! |
I don't know how to describe the steps (which are both simple and safe) to do it (for all future versions). But... (this is true only for this moment!): Hovewer, if you use it, you do it at your own risk! Through we are very off-topic... |
Ran into same issue when I was trying creating a web worker from blob url ( |
Shouldn't hash help? Looks like both injection methods are needed. |
Possibly not. The request to fetch worker script is sent from browser, so we have nothing to do with it. Currently I am using another extension to modify CSP headers, but I don't think it's a good idea to bypass sites' security restrictions like this. |
What is the problem with nonce (not a sri hash)? You inject a nonce for each script/style into the CSP-Header and use the nonce with the injected script/style tags. |
Wouldn't |
Just tried but still failed, I think hashes only work for inline scripts. In my tests, inline script with the same contents passed, but external scripts failed. |
You do not use hashes for inline scripts, as somebody who can inject a script, can inject the matching hash. So it needs a nonce. On the other hand, there is SRI for external scripts and url-based rules.
I think the security considerations are the same as for the website owner himself: If you want to use a static worker, a hash or nonce work, if you need dynamic ones, you need to be more liberal with the CSP rules. Somebody who writes a script needs to consider the same things as the website owner. Respecting the owners CSP to a level, which makes it impossible to script the site is against the idea of greasemonkey, which should implement features, which aren't supported by the owner. So I think some CSP rules should be disabled, if it won't work otherwise. |
@idiotWu Which extension do you use ? Regards |
@mikhoul Content Security Policy Override, an extension for Chrome browser. The following is my configs: [
["https://twitter\\.com/*", [
["worker-src|$", "worker-src 'self' blob:"]
]]
] |
Hm... So, no plans to implement any methods to bypass CSP for scripts injection? |
This sucks. Closing it is the easy way out instead of figuring out a problem that is only going to get worse as more sites start to use CSPs. It's pretty clear that there's a need for it, don't ignore it. |
Apologies if this has been mentioned in this thread already, but FYI,
anyone who needs CSP support can use Tampermonkey, which already handles
this.
|
Just as an update. For anyone following. The Mozilla folks had their sights on allowing this for a couple years now. Accordingly, some new patches have been pushed, here and here, which should resolve these issues. Unfortunately they're set for merging into the Firefox 58 branch. |
@jerone @arantius The main reason one might want to do this is to iterate quickly on your own code included in
This problem is exacerbated during development:
It's a pretty painful workflow. Dr Nic. wrote about this nearly ten years ago, before the proliferation of CSPs so his approach worked back then. I can't think of a way to do it now since there's no way to include an external resource and there's no way to invalidate the GM cache that I've been able to find. Any advice here? Thanks! |
@nyuszika7h I'm using TamperMonkey and getting this error. Is there a workaround?
According to the TM folks, not much they can do. |
@arantius
|
@rslifka A bit belatedly: isn't the conventional solution to include the version number in the name of the @require file, like the way Jquery and simiar .js files are dealt with by Google and others? So, when you change the @require file, you change the version number in the name of the file and upload it; and you change the file name in the @require line in the main script accordingly. So the updated main script will automatically download the new version of the library file. |
@Cerberus-tm yep, still a pretty onerous workflow to go through all those steps when developing locally :) I've solved this by having a development-mode UserScript that references file:// URLs, and enabled local file access in TamperMonkey in the Chrome extension settings. Works great! |
@rslifka Ah, that sounds smart. I wonder whether this would also work with Greasemonkey in Firefox. |
How does it handle it? I can't seem to find any documentation for it and it is causing me issues... |
I believe they're talking about the option at the bottom of the advanced settings. |
Ah, I found the setting and it's enabled. Still having issues though... |
Reduced test script:
// ==UserScript==
// @name Hello World
// @description Hello World
// @include *
// @Version 1.0
// @grant none
// ==/UserScript==
var script = document.createElement('script');
script.textContent = "(alert('hello'))()";
document.body.appendChild(script);
This script doesn't work on
https://github.com/greasemonkey/greasemonkey/issues
On every other page it works and alert box pops up. Is this a bug with greasemonkey?
The text was updated successfully, but these errors were encountered: