New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GM 4.0 does not install scripts from GitHub (CSP/sandbox issue) #2631

Closed
Incurious opened this Issue Oct 25, 2017 · 24 comments

Comments

Projects
None yet
@Incurious

Incurious commented Oct 25, 2017

GM doesn't install scripts from raw.github.com for some reasons

https://github.com/reek/anti-adblock-killer#anti-adblock-killer--reek
Here on "Step 3: UserScript" you can test 4 mirrors of one script. only github mirror doesn't open install dialog.

@badbrainz

This comment has been minimized.

Contributor

badbrainz commented Oct 25, 2017

There might be an issue with host permissions in this case. Content script aren't injected into top frames that are "about:blank" according to the moz docs.

@xor10

This comment has been minimized.

Contributor

xor10 commented Oct 25, 2017

I think it's a Firefox CSP issue. Apparently, you cannot inject content scripts into pages with CSP sandbox directive. Turn off the CSP (set "security.csp.enable" to false) and try to install it. Do not forget to activate the CSP after installing.

csp

@arantius arantius added this to the 4.0 milestone Oct 25, 2017

@arantius

This comment has been minimized.

Collaborator

arantius commented Oct 25, 2017

@Sxderp

This comment has been minimized.

Contributor

Sxderp commented Oct 25, 2017

Hm, currently at work and only have access to Firefox 52 ESR. Cannot reproduce, security.csp.enable is set to true, using currently released alpha 4.0 available on AMO. What version of Firefox does this fail on? Might be a regression that should be brought up to the Mozilla folks. CSP should not affect content scripts.

@arantius arantius modified the milestones: 4.0, Tracking Upstream Oct 25, 2017

@arantius

This comment has been minimized.

Collaborator

arantius commented Oct 25, 2017

Happens to me on 56 (stable) and 57 (nightly).

@arantius

This comment has been minimized.

Collaborator

arantius commented Oct 25, 2017

@arantius

This comment has been minimized.

Collaborator

arantius commented Oct 25, 2017

@eight04 eight04 referenced this issue Oct 25, 2017

Merged

Install styles from *.user.css file #134

26 of 27 tasks complete

@arantius arantius changed the title from GM 4.0alpha 8 and raw.github scripts to GM 4.0 does not install scripts from GitHub (CSP/sandbox issue) Nov 6, 2017

@adaugherity

This comment has been minimized.

adaugherity commented Nov 20, 2017

User script installation from GitHub does work in ViolentMonkey (2.8.18) in Firefox 57. What are they doing differently?

Edit: apparently they wrote a blog post about it, which references some of these same Firefox bugs. Would that Blob URL method be feasible in GreaseMonkey?

@Sxderp

This comment has been minimized.

Contributor

Sxderp commented Nov 20, 2017

Not really, no. Violentmonkey directly injects scripts by creating <script> objects. Greasemonkey uses tabs.executeScript(). Both methods have their own nuances and issues.


Kinda unrelated, but this does bring up something I'm curious about. How does Violentmonkey provide for elevated API calls, like cross site XHR. As far as I know <script> elements are run in the context of the page and not a content script context, and therefore can't communicate directly with the extension?

@xor10

This comment has been minimized.

Contributor

xor10 commented Nov 20, 2017

User script installation from GitHub does work in ViolentMonkey (2.8.18) in Firefox 57. What are they doing differently?

Tampermonkey and Violentmonkey use webRequest to detect user script installation, whereas Greasemonkey use a content script.

@Sxderp

This comment has been minimized.

Contributor

Sxderp commented Nov 20, 2017

Tampermonkey and Violentmonkey use webRequest to detect user script installation, whereas Greasemonkey use a content script.

Hm. I've got a branch that does that. Although doesn't work on 52 ESR due to the use of filterResponseData. So I can't, at the moment, check to confirm if it works.
https://github.com/sxderp/greasemonkey/tree/use-window-to-install-from-cache

@jasontibbitts

This comment has been minimized.

jasontibbitts commented Jan 31, 2018

Somehow this started working for me with Firefox nightly within the past few days. I'm not sure if Firefox fixed the issue on their end or a change to Greasemonkey did it, but everything does appear to be working as I'd expect. I visit the raw version of a script on github and the greasemonkey install window opens immediately.

@Sxderp

This comment has been minimized.

Contributor

Sxderp commented Jan 31, 2018

Somehow this started working for me with Firefox nightly within the past few days.

Greasemonkey changed the way that scripts are detected. #2719
This can be closed now.

@Eselce

This comment has been minimized.

Contributor

Eselce commented Jan 31, 2018

Works fine for me! Congratulations...

@ibigfire

This comment has been minimized.

ibigfire commented Feb 17, 2018

Not working for me. I go to https://raw.githubusercontent.com/devunt/make-gis-great-again/master/gis-vib.user.js and it does not ask me to install a userscript. Using GM 4.2 and FF 58.0.2

@Eselce

This comment has been minimized.

Contributor

Eselce commented Feb 17, 2018

Using GM 4.2 and FF 58.0.2

Just use the newest GM 4.3 version (currently GM 4.3beta4).
It can be found as a beta version AddOn.

@bluelovers

This comment has been minimized.

bluelovers commented Mar 1, 2018

@Eselce it keep show User script download failed

@Eselce

This comment has been minimized.

Contributor

Eselce commented Mar 1, 2018

@bluelovers Hmm, that link just works for me (GM 4.3beta7, FF 59.0b13).

@arantius arantius modified the milestones: Tracking Upstream, 4.3 Mar 1, 2018

@arantius

This comment has been minimized.

Collaborator

arantius commented Mar 1, 2018

Opening the original report link, then the "Install from github.com" link works as expected in latest (4.3) beta.

@arantius arantius closed this Mar 1, 2018

@adaugherity

This comment has been minimized.

adaugherity commented Mar 3, 2018

With GM 4.3beta7/FF 58.0.2 Mac, it does not work for me. For both the original test and for one of my gists, the installation popup does appear, but after clicking Install, it says "User script download failed".

Furthermore, on our organization's GitHub Enterprise instance, the installation popup never even appears when I browse to a user script raw view. Perhaps it isn't using my authenticated session? (Anonymous access is disabled on our GH instance.)

@arantius

This comment has been minimized.

Collaborator

arantius commented Mar 3, 2018

For both the original test and for one of my gists ..."User script download failed".

Links please.

Furthermore, on our organization's GitHub Enterprise instance ... Perhaps it isn't using my authenticated session?

Pretty sure there's already an issue tracking this but don't have it handy.

@fireattack

This comment has been minimized.

fireattack commented Mar 3, 2018

By "original test" I think he means the one in OP, https://github.com/reek/anti-adblock-killer/blob/master/anti-adblock-killer.user.js

I have the same problem here as well:

heh3

(Needless to say, the result is same if I use "Install from github.com" link in readme.md, since it's the same link.)
I'm using 59.0b14 (64-bit), though.

@bluelovers

This comment has been minimized.

bluelovers commented Mar 4, 2018

why not just use like Tampermonkey what they do for install, i think it is better than wait firefox fix

@arantius

This comment has been minimized.

Collaborator

arantius commented Mar 4, 2018

This is already fixed; users above are confused. If the install window opens, this bug is fixed. If something else happens, that's a separate issue and should be reported as such.

(I think the particular things reported above are also already fixed but there's no newer easy build to test with.)

Repository owner locked as resolved and limited conversation to collaborators Mar 4, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.