rufflewind / chrome_cspmod Goto Github PK
View Code? Open in Web Editor NEWChrome extension to alter the Content Security Policy of webpages.
Home Page: https://chrome.google.com/webstore/detail/lhieoncdgamiiogcllfmboilhgoknmpi
License: Other
Chrome extension to alter the Content Security Policy of webpages.
Home Page: https://chrome.google.com/webstore/detail/lhieoncdgamiiogcllfmboilhgoknmpi
License: Other
Hi I tried using your extension because I faced the necessity to override Instagram worker-src.
I have an extension that downloads Instagram media as a ZIP archive, and now Instagram has apparently changed smth and I am unable to access Worker.
The error is: "Refused to create a worker from 'blob:https://www.instagram.com/---' because it violates the following Content Security Policy directive: "worker-src 'self' https://www.instagram.com"
So I added this to the Options of your extension:
["https://instagram\.com", [
["worker-src", "worker-src blob:"]
]]
]
But the CSP is not changed for some reason. Can you help me with this?
Thanks.
Hey, happy holidays!
I was testing this on Steam (steampowered.com) and noticed that I was unable to disable CSP for loading scripts.
I used a few variations of the URL and using the background page/debugger, it looked like the extension was indeed running but I still couldn't get "script-src" to allow URLs from my domain.
I found a workaround using a different extension but wanted to give you a heads up.
I'll try and add some more details later.
I tried using the following rule:
["https://twitter\\.com", [
["script-src", "'unsafe-eval' 'self' 'unsafe-inline' https://*.twimg.com https://www.google-analytics.com https://twitter.com 'nonce-YzFkN2FkNmYtOWExNC00MjZjLThlZDYtNGY0YjgyMTVjZWRh'"]
]]
Which does not work. The only thing I can think of that might be an issue is the service worker twitter is using. (P.S. I know extensions can mess with service worker responses, because the "Disable Content-Security-Policy" extension successfully removes all CSP, I just want to modify it, not remove it completely.)
Additionally this failed:
["https://bugs\\.chromium\\.org", [
["script-src", "'unsafe-eval' 'report-sample' 'unsafe-inline' 'strict-dynamic' https://monorail-prod-default-v050-dot-monorail-prod.appspot.com/static/dist/ 'self' 'nonce-lpaAxZpfH7mMm3JoGYMEL9sz0bRwwqhD'"]
]]
Resulting in the following CSP:
default-src https: ; 'unsafe-eval' 'report-sample' 'unsafe-inline' 'strict-dynamic' https://monorail-prod-default-v050-dot-monorail-prod.appspot.com/static/dist/ 'self' 'nonce-lpaAxZpfH7mMm3JoGYMEL9sz0bRwwqhD' 'report-sample' 'unsafe-inline' 'strict-dynamic' https://monorail-prod-default-v050-dot-monorail-prod.appspot.com/static/dist/ 'self' 'nonce-6hfHjRMVPEZUBt0k5PTwgDjuLU5FqyYn'; child-src 'none'; frame-src accounts.google.com content-issuetracker.corp.googleapis.com login.corp.google.com up.corp.googleapis.com;img-src https: data: blob: ; style-src https: 'unsafe-inline'; object-src 'none'; base-uri 'none'; report-uri /csp.do
Notice that it is missing the script-src
directive.
Also, we should be able to modify the policy, rather than completely replacing it - notice the nonces in the 1st example - those are different every page load. A simple regex search/replace should be enough. (Should I make this its own issue?)
Chrome: Version 80.0.3987.87 (Official Build) (64-bit)
Just a simple change to support the report-only version of the header.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.