Open micalevisk opened 3 years ago
when I tried to inject a dumb JS script to https://github.com I got this error:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
triggered by this line: https://github.com/Lor-Saba/Code-Injector/blob/3ef819aa51a3ccfed882ef0526d8316ec0485d6c/script/main/inject.js#L34
is there a way to bypass this?
The Content-Security-Policy response header is:
Content-Security-Policy
default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker.js gist.github.com/socket-worker.js
btw I do not want to use Tampermonkey/Greasemonkey
Same happens on MS Teams (https://teams.microsoft.com)
Seems to happen on twitter too
it's been three years from the opening of this issue and still no fix. 😑️ btw it also happens on spotify
when I tried to inject a dumb JS script to https://github.com I got this error:
triggered by this line: https://github.com/Lor-Saba/Code-Injector/blob/3ef819aa51a3ccfed882ef0526d8316ec0485d6c/script/main/inject.js#L34
is there a way to bypass this?
The
Content-Security-Policy
response header is:btw I do not want to use Tampermonkey/Greasemonkey