Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doesn't work on Github due to "Content Security Policy" #72

Open
nyanpasu64 opened this issue Oct 13, 2019 · 6 comments
Open

Doesn't work on Github due to "Content Security Policy" #72

nyanpasu64 opened this issue Oct 13, 2019 · 6 comments
Labels
enhancement

Comments

@nyanpasu64
Copy link

The bookmarklet does not work on Github, and possibly other sites with CSP policies.

On a customized Firefox 69.0.3 install, I get >Content Security Policy: The page’s settings blocked the loading of a resource at https://unpkg.com/@mourner/[email protected]/bullshit.js (“script-src”).

On a vanilla Chrome 77.0.3865.90 install, I get Refused to load the script 'https://unpkg.com/@mourner/[email protected]/bullshit.js' because it violates the following Content Security Policy directive: "script-src github.githubassets.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback..

Windows 10 x64.
@mourner
Copy link
Owner

mourner commented Oct 13, 2019

I'm not sure if there's a way around this. Can we modify the CSP dynamically in the bookmarklet, or would that be a bad thing to do security-wise?

@qgustavor
Copy link

Can we modify the CSP dynamically in the bookmarklet

You can't change CSP using JavaScript in a bookmarklet: the only ways to set CSP is using a HTTP header or a <meta> element; once set it can't be changed.

You can:

  • Make a CSP friendly bookmarklet containing the entire bullshit.js code.
  • Make a extension: those can bypass webpages' content security polices.

@guest271314
Copy link

I used DevTools Local Overrides https://developers.google.com/web/updates/2018/01/devtools#overrides to workaround this issue for AudioContext.audioWorklet.addModule(url) WebAudio/web-audio-api-v2#109.

@jonas-w jonas-w mentioned this issue Apr 10, 2023
Closed
@llamafilm
Copy link

@guest271314 can you elaborate on how you worked around this? I see how to enable overrides, but not sure what to do next.

@qgustavor qgustavor mentioned this issue May 8, 2024
Open
@UltraBlackLinux
Copy link

@llamafilm
https://github.com/mourner/bullshit.js/blob/3fd69e1b748ffc0da67188f4a01afbaca0163a06/index.html
view raw -> save -> open -> reveal CSP friendly version -> drag into bookmarks -> done

@guest271314
Copy link

@llamafilm Since then I've written this extension to get rid of CSP headers altogether https://github.com/guest271314/remove-csp-header.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mourner @nyanpasu64 @qgustavor @llamafilm @guest271314 @UltraBlackLinux