Closed lunethefirst closed 4 years ago
Here's the rule I tried:
[
["https://steampowered\\.com", [
["script-src", "script-src https://cdn.jsdelivr.net"]
]]
]
Then, I visited https://steampowered.com in Chromium, hit Ctrl+Shift+J, and pasted this:
var script = document.createElement("script");
script.src = "https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js";
document.documentElement.appendChild(script);
And no errors appeared. In contrast, if I remove the rule, the script would fail to load, reporting something like:
Refused to load the script 'https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' …
Hey, thanks for this reply, I'll try again with what your example. (=
Hey, happy holidays!
I was testing this on Steam (steampowered.com) and noticed that I was unable to disable CSP for loading scripts. I used a few variations of the URL and using the background page/debugger, it looked like the extension was indeed running but I still couldn't get "script-src" to allow URLs from my domain.
I found a workaround using a different extension but wanted to give you a heads up. I'll try and add some more details later.