Extension Does Not Seem to Disable CSP for Certain Sites

[lunethefirst]

Hey, happy holidays!

I was testing this on Steam (steampowered.com) and noticed that I was unable to disable CSP for loading scripts. I used a few variations of the URL and using the background page/debugger, it looked like the extension was indeed running but I still couldn't get "script-src" to allow URLs from my domain.

I found a workaround using a different extension but wanted to give you a heads up. I'll try and add some more details later.

[Rufflewind]

1. What page (URL) did you visit?
2. Can you show me the rule you tried?

---

Here's the rule I tried:

[
    ["https://steampowered\\.com", [
       ["script-src", "script-src https://cdn.jsdelivr.net"]
    ]]
]

Then, I visited https://steampowered.com in Chromium, hit Ctrl+Shift+J, and pasted this:

var script = document.createElement("script");
script.src = "https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js";
document.documentElement.appendChild(script);

And no errors appeared. In contrast, if I remove the rule, the script would fail to load, reporting something like:

Refused to load the script 'https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' …

[lunethefirst]

Hey, thanks for this reply, I'll try again with what your example. (=