rufflewind / chrome_cspmod Goto Github PK

Hi I tried using your extension because I faced the necessity to override Instagram worker-src.

I have an extension that downloads Instagram media as a ZIP archive, and now Instagram has apparently changed smth and I am unable to access Worker.

The error is: "Refused to create a worker from 'blob:https://www.instagram.com/---' because it violates the following Content Security Policy directive: "worker-src 'self' https://www.instagram.com"

So I added this to the Options of your extension:
["https://instagram\.com", [
["worker-src", "worker-src blob:"]
]]
]

But the CSP is not changed for some reason. Can you help me with this?
Thanks.

Hey, happy holidays!

I was testing this on Steam (steampowered.com) and noticed that I was unable to disable CSP for loading scripts.
I used a few variations of the URL and using the background page/debugger, it looked like the extension was indeed running but I still couldn't get "script-src" to allow URLs from my domain.

I found a workaround using a different extension but wanted to give you a heads up.
I'll try and add some more details later.

I tried using the following rule:

    ["https://twitter\\.com", [
        ["script-src", "'unsafe-eval' 'self' 'unsafe-inline' https://*.twimg.com   https://www.google-analytics.com https://twitter.com  'nonce-YzFkN2FkNmYtOWExNC00MjZjLThlZDYtNGY0YjgyMTVjZWRh'"]
    ]]

Which does not work. The only thing I can think of that might be an issue is the service worker twitter is using. (P.S. I know extensions can mess with service worker responses, because the "Disable Content-Security-Policy" extension successfully removes all CSP, I just want to modify it, not remove it completely.)

Additionally this failed:

    ["https://bugs\\.chromium\\.org", [
        ["script-src", "'unsafe-eval' 'report-sample' 'unsafe-inline' 'strict-dynamic' https://monorail-prod-default-v050-dot-monorail-prod.appspot.com/static/dist/ 'self' 'nonce-lpaAxZpfH7mMm3JoGYMEL9sz0bRwwqhD'"]
    ]]

Resulting in the following CSP:
default-src https: ; 'unsafe-eval' 'report-sample' 'unsafe-inline' 'strict-dynamic' https://monorail-prod-default-v050-dot-monorail-prod.appspot.com/static/dist/ 'self' 'nonce-lpaAxZpfH7mMm3JoGYMEL9sz0bRwwqhD' 'report-sample' 'unsafe-inline' 'strict-dynamic' https://monorail-prod-default-v050-dot-monorail-prod.appspot.com/static/dist/ 'self' 'nonce-6hfHjRMVPEZUBt0k5PTwgDjuLU5FqyYn'; child-src 'none'; frame-src accounts.google.com content-issuetracker.corp.googleapis.com login.corp.google.com up.corp.googleapis.com;img-src https: data: blob: ; style-src https: 'unsafe-inline'; object-src 'none'; base-uri 'none'; report-uri /csp.do

Notice that it is missing the script-src directive.

Also, we should be able to modify the policy, rather than completely replacing it - notice the nonces in the 1st example - those are different every page load. A simple regex search/replace should be enough. (Should I make this its own issue?)

Chrome: Version 80.0.3987.87 (Official Build) (64-bit)

Just a simple change to support the report-only version of the header.