-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: insert scripts on Firefox is not executed on Slack (Bypass CSP enforced using HTML meta tags) #549
Comments
Thanks @SethFalco for the detailed info. |
Ahh, that's my bad. I was under the impression that extensions, bookmarklets, etc could bypass CSP, but I can see other extensions have the same problem on Firefox. I was exploring if I could do this through a user-script instead, but that isn't going to work either. 🤔 Relevant bug on Firefox: Interesting reads:
Not sure if much can be done here then, or if this should be closed and we can just wait for Mozilla to address it in Firefox, though it's been 7 years already. ^-^' |
Bypassing CSP is possible for extensions if it is enforced via a HTTP header (since extensions can modify headers). https://app.slack.com/client/ is enforcing CSP via a HTML meta tag. Extensions cannot modify responses of such requests. But what if you have a proxy server in the middle that does the modification of this HTML meta tag and then only forward response to the browser? Browser would no longer be aware of any CSP policy. Try Requestly Desktop App. Close your existing Firefox instance and reopen via Connected Apps in Requestly App.
Not very convenient but opens up a lot of possibilities |
@sagarsoni7 This is very interesting! Good solution, we should update our existing article https://requestly.io/blog/learn-and-bypass-content-security-policy-http-response-header and mention this approach too. |
@sagarsoni7 @SethFalco -- Just wondering if using the Insert script feature if we remote the meta tag that matches the content-security-policy, does Firefox still apply the CSP restrictions? |
@sachinjain024 - No, it doesn't apply restrictions then. ^^ Updated the screenshot with script injection working. |
@sagarsoni7 Then it should be completely solvable with just the browser extension without the need of using desktop app? Basically, then we can create two blocks (pairs) of scripts
Thoughts? |
Right, but what I meant is that the CSP specification dictates this shouldn't be require at all. I'm assuming this is why it works in Chromium for example. That's why this is considered a bug in Firefox.
If this will be documented anywhere, instead of advising to remove the CSP outright, perhaps it's better to use a regex to replace only the What users do in practice is entirely up to them! But I think a formal article should try to minimize advising to undermine the browsers built-in security features. For example, something like the following for scripts: const CSP = "<meta http-equiv=\"Content-Security-Policy\" content=\"base-uri 'self'; script-src 'none'; object-src 'none'; default-src 'none'\">";
CSP.replace(/\s*(script|default)-src.+?(;|(?="))/g, "");
// Input: <meta http-equiv="Content-Security-Policy" content="base-uri 'self'; script-src 'none'; object-src 'none'; default-src 'none'">
// Output: <meta http-equiv="Content-Security-Policy" content="base-uri 'self'; object-src 'none';"> It might not be perfect as I rushed this up. Also, the content of the
I would be surprised if this would work tbh. If CSP is blocking scripts, I don't see how one could use a script to remove the meta tag in the first place to execute the next script. I did do an experiment where I tried to make uBlock Origin remove the CSP through a custom filter:
However, it wasn't removed at all. Probably because uBlock Origin doesn't remove the actual content from the DOM, so that was a bust. |
@sachinjain024 - If you mean to remove meta like with a script injection like
it won't work since even this script won't get executed since CSP is restricting in-line script in OP's case. |
Totally agreed! |
@Kanishkrawatt @sagarsoni7 How to bypass CSP enforced using HTML meta tag. |
Describe your issue?
I'm using the ← Insert Scripts rule to inject JavaScript into Slack on Firefox.
In Requestly I can see that the conditions were met, and that the script was injected. I can also see the script in the
<head>
of the document via Inspect Element. Despite scatteringconsole.log
all over the script, none of the logs are printed under the Console tab.This script works exactly as intended on Chromium, and I am able to inject scripts on other sites like Google on Firefox.
Repro steps
HOST
Equals
app.slack.com
Language: JS
Code Source: CODE
Insert: After Page Load
Click to expand!
What Requestly tool were you using?
Your Environment
Debian 11, Firefox 112.0 (64-bit)
Requestly Version
v23.4.5
Error screenshot
No response
The text was updated successfully, but these errors were encountered: