CSP issue

[eight04]

It seems that the style is not applied if the site contains this header:

content-security-policy: default-src 'none'

Is it possible to bypass the restriction?

[JasonBarnabe]

This is with Firefox?

[eight04]

I found that it is related to userscript instead of userstyle. Sorry for the mistake.

[IzzySoft]

Request reopen, @JasonBarnabe : As soon as a site propagates style-src: with their CSP, it seems that userstyles via Stylish are not applied. A server under my control had style-src 'self' 'unsafe-inline' included. So for testing, I temporarily removed that part – et voila, the style was applied again. As a user normally has no control over that, this approach was only a "proof of concept".

If you need more details, please let me know.

[jerone]

This is still an issue with userstyles. For example on GitHub were all security is tight, I'm getting the following error with this userstyle:

Content Security Policy: The page’s settings blocked the loading of a resource at data:text/css,/*TabSizer*/%40namespace%20html%20url(http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml)%3B%0D%0A%40namespace%20xul%20url(http%3A%2F%2Fwww.mozilla.org%2Fkeymaster%2Fgatekeeper%2Fthere.is.only.xul)%3B%0D%0A%0D%0Ahtml%7C*%2C%0D%0Axul%7C*%20%7B%0D%0A%09-moz-tab-size%3A%204%3B%0D%0A%09-o-tab-size%3A%204%3B%0D%0A%09tab-size%3A%204%3B%0D%0A%7D (“style-src 'unsafe-inline' https://assets-cdn.github.com”).