User scripts don't work on certain pages like Github

[MrBlubberBut]

Describe your matter in detail

1. Under Extras, turn Wheel gesture on
2. Under either Wheel down or Wheel up, set one to "Execute user script" and paste a script in. Can be a custom one.
3. But, if you don't have one on hand, paste this in: "javascript:(function(doc){if(doc.classList.contains("no-anchors")){doc.classList.remove("no-anchors")}else{doc.classList.add("no-anchors")}})(document.documentElement)"
4. If you are using the script provided, type ":root.no-anchors a{ pointer-events: none }" in userContent.css and restart Firefox.
5. This script toggles the clickable elements on the page.
6. Activate the user script through the Wheel gesture when on a GitHub page. It should not work.
7. FYI, I can still activate the script manually, just not through Gesturefy.

Your System

• Operating system: Windows 10
• Firefox version: 85.0.2
• Gesturefy version: 3.1.0

[Robbendebiene]

Unfortunately this is an error with the content security policy (you can see an error in the console when you run the script through Gesturefy). This is similar to #258 I'm not aware of any good solution despite of this https://bugzilla.mozilla.org/show_bug.cgi?id=1516478 which is not implemented yet.

---

More info about this bug can be found here:

• https://bugzilla.mozilla.org/show_bug.cgi?id=1645614
• https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

[MrBlubberBut]

I see. Are there any other notable sites (besides official Mozilla sites) where user scripts do not work?

[Robbendebiene]

The only one I know about (besides github) is twitter.

[MrBlubberBut]

Thanks, I can also confirm it does not work there.

Perhaps a list can be made for such websites, just so everyone is aware, unless the list is really, really small.

Edit: A bit off topic, but I would like to say thank you guys for figuring out a workaround for hotkeys on here (wheel gestures and rocker gestures), since I believe Firefox restricts a lot of keyboard functionality.

Perhaps more mouse buttons can be added, though? Such as if a mouse had 10 mouse side mouse buttons, would that be possible?

[Robbendebiene]

Perhaps a list can be made for such websites, just so everyone is aware, unless the list is really, really small.

I agree. I've already searched for such a list, since this affects most of the user script managers like tampermonkey, but I couldn't find anything.

As a workaround you can also completely disable the CSP as described here: https://github.com/Robbendebiene/Gesturefy/issues/258#issuecomment-423450123 but I personally wouldn't recommend that.

---

Edit: A bit off topic, but I would like to say thank you guys for figuring out a workaround for hotkeys on here (wheel gestures and rocker gestures), since I believe Firefox restricts a lot of keyboard functionality. Perhaps more mouse buttons can be added, though? Such as if a mouse had 10 mouse side mouse buttons, would that be possible?

In theory one should be able to detect the so often called "back and forward" buttons too. However it doesn't work on my end, maybe it does on yours? You may test this with this fiddle (not made by me). It should output some information whenever a mouse button is clicked.

[MrBlubberBut]

I couldn't get forward or back to work either.

As a workaround you can also completely disable the CSP as described here: #258 (comment) but I personally wouldn't recommend that.

Could you perhaps explain why? Security reasons or other?

[Robbendebiene]

Could you perhaps explain why? Security reasons or other?

Yes, I'm not an expert on CSP, but it can prevent cross site scripting attacks, which however should already be prevented beforehand. So it's just another line of defense. If somehow the website programmers forgot to sanitize some user input text and this finds its way back to the website this will still prevent XSS attacks. So it's not necessary but can be helpful. MDN is always a good source if you want to learn more :)

[RichardSimple]

If I create a simple usersciprt like

// ==UserScript==
// @name        Test
// @include     *
// ==/UserScript==
console.log(this);

and install it into Violentmonkey, it runs on CSP-protected pages just fine (and logs a Sandbox object). As I understand this, VM attempts to inject its scripts into page, and if it fails, it injects them as "content scripts" (hence the Sanbox as global this(?)).

Since it works for VM, would it be possible for Gesturefy to use the same approach, or is it still too insecure/too dirty of a hack/... ?
This is not a complete solution, as window of the page is not accessible to scripts executed in this way (they have a copy of it for their own use: https://github.com/violentmonkey/violentmonkey/issues/1001), but it will allow to run at least some user-script commands from gestures, as opposed to none at all.

[Robbendebiene]

I'm somewhat reluctant to run user scripts as direct content scripts for security reasons (reviewers also may decline this working principle for an extension that is mainly focused around mouse gestures). One could endlessly argue about this, since user scripts are an advanced feature the users should know what they are doing, but on the other hand a lot of people just trust others and copy & paste others code.

I would like to use Firefox's userScripts api, but it can only execute scripts by domain/patterns and not in a specific tab. I already made a feature request on bugzilla for this a while ago.

Btw with the upcoming manifest 3 running arbitrary code (user scripts) as content scripts or page scripts (which is what Gesturefy currently does) won't be possible any more for security reasons. That's why I already raised my voice for an appropriate API:

• https://github.com/w3c/webextensions/pull/331#discussion_r1089286082
• https://github.com/w3c/webextensions/issues/279#issuecomment-1369568559