-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Doesn't work on Github due to "Content Security Policy" #72
Comments
I'm not sure if there's a way around this. Can we modify the CSP dynamically in the bookmarklet, or would that be a bad thing to do security-wise? |
You can't change CSP using JavaScript in a bookmarklet: the only ways to set CSP is using a HTTP header or a You can:
|
I used DevTools Local Overrides https://developers.google.com/web/updates/2018/01/devtools#overrides to workaround this issue for |
@guest271314 can you elaborate on how you worked around this? I see how to enable overrides, but not sure what to do next. |
@llamafilm |
@llamafilm Since then I've written this extension to get rid of CSP headers altogether https://github.com/guest271314/remove-csp-header. |
The bookmarklet does not work on Github, and possibly other sites with CSP policies.
On a customized Firefox 69.0.3 install, I get
>Content Security Policy: The page’s settings blocked the loading of a resource at https://unpkg.com/@mourner/[email protected]/bullshit.js (“script-src”).
On a vanilla Chrome 77.0.3865.90 install, I get
Refused to load the script 'https://unpkg.com/@mourner/[email protected]/bullshit.js' because it violates the following Content Security Policy directive: "script-src github.githubassets.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
.Windows 10 x64.
The text was updated successfully, but these errors were encountered: